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Bit commitment protocols whose security is based on the laws of quantum mechanics alone are 
generally held to be impossible. In this paper we give a strengthened and explicit proof of this result. 
We extend its scope to a much larger variety of protocols, which may have an arbitrary number 
of rounds, in which both classical and quantum information is exchanged, and which may include 
aborts and resets. Moreover, we do not consider the receiver to be bound to a fixed "honest" 
strategy, so that "anonymous state protocols", which were recently suggested as a possible way 
to beat the known no-go results are also covered. We show that any concealing protocol allows 
the sender to find a cheating strategy, which is universal in the sense that it works against any 
strategy of the receiver. Moreover, if the concealing property holds only approximately, the cheat 
goes undetected with a high probability, which we explicitly estimate. The proof uses an explicit 
formalization of general two party protocols, which is applicable to more general situations, and a 
new estimate about the continuity of the Stinespring dilation of a general quantum channel. The 
result also provides a natural characterization of protocols that fall outside the standard setting of 
unlimited available technology, and thus may allow secure bit commitment. We present a new such 
protocol whose security, perhaps surprisingly, relies on decoherence in the receiver's lab. 
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I. INTRODUCTION 

Bit commitment is a cryptographic primitive involving 
two mistrustful parties, conventionally called Alice and 
Bob. Alice is supposed to submit an encoded bit of in- 
formation to Bob in such a way that Bob has (almost) 
no chance to identify the bit before Alice later decodes it 
for him, whereas Alice has (almost) no way of changing 
the value of the bit once she has submitted it: in tech- 
nical terms, a good bit commitment protocol should be 
simultaneously concealing and binding. 

Bit commitment has immediate practical applications, 
and is also known to be a very powerful cryptographic 
primitive. It was conceived by Blum [| as a building 
block for secure coin tossing. Bit commitment also allows 
to implement secure oblivious transfer 0, [H, 0| , which in 
turn is sufficient to establish secure two-party computa- 
tion [a, Q. 

A standard example to illustrate bit commitment is for 
Alice to write the bit down on a piece of paper, which 
is then locked in a safe and sent to Bob, whereas Alice 
keeps the key. At a later time, she will unveil by handing 
over the key to Bob. However, Bob has a well-equipped 
toolbox at home and may have been able to open the 
safe in the meantime. So while this scheme may offer 
reasonably good practical security, it is in principle inse- 
cure. Yet all bit commitment schemes that have wide cur- 
rency today rely on such technological constraints: not 
on strongboxes and keys, but on unproven assumptions 
that certain computations are hard to perform. Several 
such protocols have been suggested, either computation- 
ally binding p| 0, H, Q or computationally concealing 
(Tq , ITU . Cryptographers have long known that without 
such technological constraints, bit commitment (like any 
other interesting two-party cryptographic primitive) can- 
not be securely implemented in a classical world [5| . 

It has therefore been a long-time challenge for quan- 
tum cryptographers to find unconditionally secure quan- 
tum bit commitment protocols, in which — very much in 
parallel to quantum key distribution [l2l . Il3j — security 
is guaranteed by the laws of quantum physics alone. 



A. Quantum Bit Commitment and the No-Go 
Theorem 

The first quantum bit commitment protocol is due to 
Bennett and Brassard and appears in their famous 1984 
quantum cryptography paper in a version adapted 
to coin tossing. In their scheme, Alice commits to a bit 
value by preparing a sequence of photons in either of 



two mutually unbiased bases, in a way that the resulting 
quantum states are indistinguishable to Bob. The au- 
thors show that their protocol is secure against so-called 
passive cheating, in which Alice initially commits to the 
bit value k, and then tries to unveil 1 — k later. However, 
they also prove that Alice can cheat with a more sophis- 
ticated strategy, in which she initially prepares pairs of 
maximally entangled states instead, keeps one particle of 
each pair in her lab and sends the second particle to Bob. 
It is a direct consequence of the EPR effect that Alice can 
then unveil either bit at the opening stage by measuring 
her particles in the appropriate basis, and Bob has no 
way to detect the difference. 

Subsequent proposals for bit commitment schemes 
tried to evade this type of attack by forcing the players 
to carry out measurements and communicate classically 
as they go through the protocol. At a 1993 conference 
Brassard, Crepeau, Jozsa, and Langlois presented a bit 
commitment protocol fl4| that was claimed and generally 
accepted to be unconditionally secure. 

In 1996 it was then realized by Lo and Chau [IH fl^]. 
and independently by Mayers [13, [H, EH that all previ- 
ously proposed bit commitment protocols are vulnerable 
to a generalized version of the EPR attack that renders 
the BB84 proposal insecure, a result they slightly ex- 
tended to cover quantum bit commitment protocols in 
general. In essence, their proof goes as follows: At the 
end of the commitment phase, Bob will hold one out of 
two quantum states Qk as proof of Alice's commitment 
to the bit value k 6 {0, 1}. Alice holds its purification 
which she will later pass on to Bob to unveil. For 
the protocol to be concealing, the two states Qk should 
be (almost) indistinguishable, go w g\. But Uhlmann's 
theorem (20 , l2~l| then implies the existence of a unitary 
transformation U that (nearly) rotates the purification 
of go into the purification of g\. Since U is localized on 
the purifying system only, which is entirely under Alice's 
control, Lo-Chau-Mayers argue that Alice can switch at 
will back and forth between the two states, and is not in 
any way bound to her commitment. As a consequence, 
any concealing bit commitment protocol is argued to be 
necessarily non-binding. 

These results still hold true when both players are re- 
stricted by superselection rules [22|]- So while the pro- 
posed quantum bit commitment protocols offer good 
practical security on the grounds that Alice's EPR attack 
is hard to perform with current technology, none of them 
is unconditionally secure. Spekkens and Rudolph [23[ ex- 
tended the no-go theorem by providing explicit bounds 
on the degree of concealment and bindingness that can be 
achieved simultaneously in any bit commitment protocol, 
some of which they showed can be saturated. 



B. Two Camps 

In view of these negative results, subsequent research 
has primarily focused on bit commitment under plausi- 
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ble technological constraints, such as a limited classical 
0, [25[ or quantum (26} memory, or the difficulty of per- 
forming collective measurements [13] • In an alternative 
approach, researchers have slightly modified the standard 
setting to evade the no-go theorem: Kent [28|, H^] has 
shown that relativistic signalling constraints may facili- 
tate secure bit commitment when Alice and Bob each run 
two labs a (large) distance apart and security is main- 
tained through a continual exchange of messages. A dif- 
ferent variant was introduced by Hardy and Kent [30| . 
and independently by Aharonov et al. 31]: in cheat- 
sensitive bit commitment protocols, both players may 
have the chance to cheat, but face the risk of their fraud 
being detecte d by the adversary. Building on Kent's orig- 
inal proposal [321 ] , the tradeoff between bindingness and 
concealment in quantum string commitment protocols 
has recently been investigated [33|, [H, HU . 

At the same time, the Lo-Chau-Mayers no-go theorem 
[TEl [l8j is continually being challenged. Yuen and oth- 
ers have repeatedly expressed doubts in Mayer's opaque 
paper fl8l| . arguing that the no-go proof is not gen- 
eral enough to exclude all conceivable quantum bit com- 
mitment protocols. Several protocols have been pro- 
posed and claimed to circumvent the no-go theorem (see 
[H, H3, [38l. [39l. [40| and references therein, as well as this 
account [4l|, |42| of the controversy) . These protocols seek 
to strengthen Bob's position with the help of 'secret pa- 
rameters' or 'anonymous states', so that Alice lacks some 
information to cheat successfully: while Uhlmann's theo- 
rem would still imply the existence of a unitary cheating 
transformation as described above, this transformation 
might be unknown to Alice. 

Two camps seem to have formed, a large one compris- 
ing most of the community, in which the impossibility of 
quantum bit commitment is accepted on the basis of the 
Lo-Chau-Mayers proof, and a smaller group of sceptics, 
which is not convinced, even though no provably secure 
protocol, and hence a counterexample to the no-go result, 
has surfaced so far. 

It appears that much of this controversy stems from 
slightly differing approaches to the problem. A good way 
to pinpoint the basic disagreement is Kerckhoffs' princi- 
ple, which goes back to the 19th century military cryp- 
tographer Auguste Kerckhoffs and is now universally em- 
braced by cryptographers [H, E3 ■ The principle states 
that the security of a cryptographic protocol should not 
rely on keeping parts of the algorithm secret. In the 
words of Bruce Schneier, "every secret creates a poten- 
tial failure point. Secrecy, in other words, is a prime 
cause of brittleness — and therefore something likely to 
make a system prone to catastrophic collapse" (45[. In 
this respect every secret parameter chosen by the human 
in a cryptographic protocol — e. g. a password — is 
regarded as a potential weakness. For this reason cryp- 
tographers usually think of their algorithms as being ex- 
ecuted by machines, whose blueprints can be published 
without jeopardizing the security of the system. 

Anonymous states and other secret parameters used 



in Yuen's protocols are apparently regarded as a viola- 
tion of Kerckhoffs' principle, which suggests a restriction 
to fixed and automatizable strategies for both players. 
Deviations from these strategies are considered an at- 
tempted fraud. The Kerckhoffian security analysis then 
does not hold any provisions for the case in which both 
parties deviate from their 'honest' strategies. Therefore 
Lo-Chau-Mayers only consider the final committed state 
given that Bob sticks to his publicly known strategy, since 
Alice's cheat only has to work against this strategy. So 
while Kerckhoffs' principle is certainly high on the list 
of desiderata for cryptographic protocols, it appears that 
Lo-Chau-Mayers only show that there is no bit commit- 
ment protocol satisfying Kerckhoffs ' principle, whereas 
the next best thing, e.g., an anonymous state protocol 
might still exist. 

Another possible origin for disagreement is the style of 
Mayers's paper [III, along the lines of Mark Kac's dic- 
tum "A demonstration convinces a reasonable man; a 
proof convinces a stubborn man" 1 . In this sense, i.e., ac- 
cording to the standards of "stubborn" mathematics or 
mathematical physics, Mayers gives merely a demonstra- 
tion. Since the argument against Kerckhoffian protocols 
only involves the state directly after commitment, May- 
ers declares it irrelevant to formalize the class of two- 
party protocols, even though an insufficiently specified 
domain usually leaves a no-go "theorem" rather fuzzy. 
Other aspects of the problem (e.g. the use of classical 
and quantum information together) get a similarly rough 
treatment. This may be a symptom of the "Four Page 
Pest" 2 . In any case, it appeared to us high time to con- 
vince ourselves, and hopefully some other stubborn men, 
of the exact scope and status of the No Bit Commitment 
statements. 



C. A Stronger No-Go Theorem: Overview and 
Outline 

In this contribution we propose to resolve the bit com- 
mitment controversy with a strengthened no-go theorem. 
We will give a precise description of general two-party 
protocols, which we hope no longer shows the hard work 
of keeping it fully explicit but still notationally manage- 
able. This description should also be helpful for ana- 
lyzing protocols for other tasks, involving any number 
of parties. Our description of bit commitment docs not 
assume Kerckhoffs' principle, so that Bob is not honor 
bound to a particular course of action. Nevertheless, we 
show that any concealing protocol allows Alice a uni- 



1 Cited after N. D. Mermin: Exact Lower Bounds for Some Equi- 
librium Properties of a Classical One- Component Plasma, Phys. 
Rev. 171 (1968) 272, footnote 2. 

2 I.e., the disease of cramming an argument onto four pages in 
PRL format, although its shortest intelligible presentation re- 
quires more than six. 
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versal cheating strategy, working against all strategies 
of Bob simultaneously. Moreover, our result is stable 
against small errors, in the sense that nearly conceal- 
ing protocols allow a nearly perfect cheat, with explicit 
universal error bounds. The result is based on a continu- 
ity theorem for Stinespring's representation [46|, which 
generalizes Uhlmann's theorem from quantum states to 
channels. 

Our proof includes a full treatment of classical and 
quantum information flow and also covers aborts and re- 
sets. It applies to bit commitment protocols with any 
(finite or infinite) number of rounds during each the com- 
mitment, holding, and opening phase. We only require 
that the expected number of rounds is finite. More- 
over, the proof is not restricted to quantum systems on 
finite-dimensional Hilbcrt spaces. The strengthened no- 
go theorem shows the insecurity of all recently proposed 
bit commitment protocols [H, [3?], [H, [H, Hjj]. A pre- 
liminary version of the proof, restricted to single-round 
commitments, has appeared in [47| . Our results gen- 
eralize that of Ozawa [48[ and recent work by Cheung 
(49| . who showed that Alice can still cheat in protocols 
with secret parameters for the simpler case of perfect 
concealment, and without a full reduction. Cheung's es- 
timates for approximately concealing protocols de- 
pend on the dimensions of the underlying Hilbert space, 
and hence cannot rule out bit commitment protocols with 
high-dimensional or infinite-dimensional systems. 

We also classify those protocols that fall outside the 
standard setting, and thus may allow secure bit commit- 
ment. We propose a new such bit commitment protocol 
whose security — perhaps paradoxically — relies on deco- 
herence in Bob's lab. Interestingly, this protocol explores 
a purely quantum- mechanical effect: the distinction be- 
tween the local erasure of information and the destruc- 
tion of quantum correlations (55[. Well-known classical 
bit commitment protocols whose security relies on noisy 
communication channels are briefly reviewed, too. 

The paper is organized as follows: In Section [TT] we 
give a detailed description of the setup for quantum bit 
commitment protocols, and list important types of pro- 
tocols that fall within our definition. This will serve 
to specify the domain for the proof of the strengthened 
no-go theorem, which is then presented in Section IIIII 
In Section IIVI we briefly describe how to extend the 
no-go theorem to quantum bit commitment protocols 
in infinite-dimensional Hilbert spaces or with infinitely 
many rounds. Section fVl investigates provably secure bit 
commitment protocols whose security is built on deco- 
herence in either Alice's or Bob's lab, or in the transmis- 
sion line. We conclude with a Summary and Discussion 
in Sec. IVII An appendix contains the necessary back- 
ground on quantum states and channels, direct sums and 
quantum-classical hybrid systems. 



II. THE SETUP 

In this section we describe the task of quantum bit 
commitment, and define what a successful bit commit- 
ment protocol would have to achieve. We have attempted 
not to exclude any possibilities, and have avoided all sim- 
plifications "without loss of generality" at this stage. In 
this way we hope to separate, more clearly than our pre- 
decessors, the definition of bit commitment to which the 
statement "Bit commitment is impossible" refers and, on 
the other hand, the simplifications which we will make in 
the course of the proof of this statement. 

The analysis will be based solely on the principles 
of quantum mechanics, including classical physics. We 
do not consider relativistic signalling constraints, which 
are known to facilitate secure bit commitment p8l . [2^ | . 
For ease of presentation, we initially impose as a finite- 
ness condition, that all classical messages can only take 
finitely many values, that all quantum systems can be 
described in a finite dimensional Hilbert space, and that 
the total number of messages exchanged is uniformly 
bounded. These constraints will then be relaxed in 
Sec. ED 



A. Description in Plain English 

The Basic Task — Bit Commitment is a crypto- 
graphic primitive involving two mistrustful parties, con- 
ventionally called Alice and Bob. Alice is supposed to 
submit an encoded bit of information to Bob in such a 
way that Bob has (almost) no chance to identify the bit 
before Alice decodes it for him, and Alice has (almost) 
no way of changing the value of the bit after she has sub- 
mitted it. In other words, Bob is interested in binding 
Alice to some commitment, whereas Alice would like to 
conceal her commitment from Bob. 

Protocols and Strategies — A protocol first of all 
regulates the exchange of messages between Alice and 
Bob, such that at every stage it is clear what type of 
message is expected from the participants, although, of 
course, their content is not fixed. The expected message 
types can be either classical or quantum or a combina- 
tion thereof, with the number of distinguishable classi- 
cal signals and the dimension of the Hilbcrt spaces fixed. 
The type of messages can depend on classical information 
generated previously. The collection of all these instruc- 
tions will be called the communication interface of the 
protocol. 

A particular plan for operating a local laboratory to 
supply the required messages, is called a strategy. A 
strategy could determine that some message sent is ob- 
tained from a measurement on a system available in the 
local lab, but it could also specify the arbitrary invention 
of a classical value to be sent and the fresh preparation of 
an accompanying quantum system. We typically denote 
Alice's strategy by a and Bob's by b. 
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The second key element of the protocol specifies defi- 
nite procedures for Alice to follow if she wants to commit 
the bit values or 1, respectively. These special honest 
strategies will be denoted by ao and a\. 

Phases of the Protocol — In any commitment 
scheme, we can distinguish three phases. The first is the 
commitment phase, in which Alice and Bob start from 
some (publicly known and trusted) shared quantum or 
classical state and go through a possibly complicated ex- 
change of classical and quantum messages. By definition, 
at the end of this phase, the bit value is considered to be 
committed to Bob but, supposedly, concealed from him. 

Alice and Bob then might split up for a while, with- 
out further communication. In this holding phase typi- 
cally only local operations are possible, i.e., Bob might 
attempt to read the committed bit, and Alice might at- 
tempt to prepare a cheat. 

Finally they get in touch again to open the commit- 
ment. In the opening phase, Alice sends to Bob some 
classical or quantum information to reveal her commit- 
ment. Taking both Alice's message and his own (classical 
and quantum) records, Bob will then perform a suitable 
verification measurement. His measurement will result 
in either the bit value k £ {0, 1}, indicating a successful 
commitment, or in a failure symbol "not ok" , indicating 
an attempted cheat or abort. 

A typical opening consists in Alice sending to Bob the 
value of the bit she claims to have committed, together 
will all the classical or quantum information needed for 
Bob to check this claim against his records. The protocol 
might also be ended in a public opening, which requires 
Alice and Bob to meet, bringing with them all quantum 
and classical systems in their possession, explaining what 
strategies they were using, and allowing Bob to choose 
arbitrary measurements on all these systems to verify, 
with Alice staying on to watch. That is, no possibil- 
ity of cheating, withholding information, or making false 
claims about the outcome of verification exists in a public 
opening. 

Conditions on Successful Protocols — We assume 
that Alice's strategies ao and a\ can be distinguished with 
high probability by Bob's verification measurement: if 
Alice honestly played au, then Bob's measurement will 
result in the bit value k with probability > (1 — rf) for 
some (small) 77 > 0. We call such a protocol ^-verifiable, 
or rj-sound. Since this condition depends only on the 
honest strategies, it is very easy to satisfy. 

We call a protocol e- concealing, if Alice's honest strate- 
gies cannot be distinguished by Bob (up to an error e) 
before she opens the commitment. In general, of course, 
the probabilities he measures while applying his protocol 
b depend on whether Alice chooses ao or ai. Here we 
require that no matter what strategy b Bob uses and no 
matter what measurement he makes, these probabilities 
never differ by more than e throughout the commitment 
and holding phase. Note that the concealing condition 
makes no statement whatsoever about other strategies 
of Alice. If Alice cheats, there is usually nothing to be 



concealed anyway. 

A 5- cheating strategy for Alice is a pair of strategies 
a and a\ such that Bob cannot distinguish ao from a , 
and ai from a\ better than with a probability difference 
6, at any time, including the opening phase. Of course, 
these conditions would be trivially satisfied for ao = a 
and ai = a\. What makes (o) Q ,a\) cheating strategies is 
that Alice does not actually make the decision about the 
value of the bit until after the commitment phase. That 
is, the strategies a\ and a\ must be the same throughout 
the commitment phase, and can only differ by local oper- 
ations carried out in the holding or opening phase. Note, 
however, that Alice might have to decide from the outset 
that she wants to cheat, since the strategies a\ might be 
quite different from both ao and 01. Fig. [T] illustrates Al- 
ice's basic choices as she goes through the protocol. If no 
(5-cheating strategy exists for Alice, we call the protocol 
(5-binding. 



other 



strategies | . f 




commitment opening 

FIG. 1: Alice's basic strategic choices. Decisions she must 
take are indicated by diamonds, some actions necessary for 
a typical cheating strategy by squares. The cheating strategies 
o\ and a\ are identical throughout the commitment phase, and 
might be equal to a purification of the honest strategy ao . Then 
U indicates a unitary cheating transformation, and D the in- 
troduction of suitable decoherence to reverse purification. In 
the opening phase the cheating strategies are identical to their 
honest counterparts. 

The condition we impose here is much stronger than 
the condition that Bob's standard verification measure- 
ments are fooled by the cheat (perhaps with a bound 
on the success probability): We require that no measure- 
ment whatsoever could detect a difference. With a public 
opening rule one could even say that after the cheat not 
even Alice herself could help Bob to tell the difference. 
Clearly, these conditions make it very hard for Alice to 
cheat. Therefore, our proof that Alice can still cheat un- 
der such conditions automatically includes all protocols 
with weaker conditions on successful cheats. 

Real Time Checks for Cheating — It is perhaps 
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helpful to point out the difference between two kinds of 
checks on Alice's honesty, which Bob might perform. We 
have granted him unlimited technological power in the 
definition of e-concealing. But for running the protocol 
no such fantastic abilities are required, and he will not 
actually do all those complicated tests. In fact, the con- 
cealing and binding properties of the protocol cannot be 
ascertained by any practical tests, but are there to be 
checked theoretically by Alice and Bob on the basis of 
the publicly available description of the protocol. It is 
on the basis of such considerations that Alice and Bob 
will consent to use the protocol in the first place. 

During a single run of the protocol, Bob can employ 
some tests on Alice's behavior as part of the protocol. If 
Bob suspects a problem he may be entitled to calling an 
abort of the protocol (clearly a classical message), and 
the procedure would start at the beginning. The total 
number of such resets must be limited on the grounds of 
bounding Alice's probability of cheating. The possibility 
of such checks at run-time is the main reason why we 
must consider protocols with a large number of rounds, 
possibly differing from run to run. 

Result — We will prove in Sec. IIII Gl that any proto- 
col which is e-concealing allows a 5-cheating strategy for 
Alice, where S < These bounds coincide with those 

obtained by Spekkens and Rudolph [23[ in the Kerckhof- 
fian setting. 

As illustrated in Fig. [T] Alice's cheating strategy a" 
consists in playing a purification of the honest strategy 
ao throughout the commitment and holding phase. If 
she then opts for the bit value k = 1 instead, she will 
apply a unitary operation U on the purifying system, 
and thenceforth follow the honest strategy a%. 



B. Formal Description of Protocols 

In this section we will cast the above description more 
explicitly into the formalism of quantum theory. Thereby 
we further reduce possible ambiguities in the statement of 
the problem, but also prepare the notation for the proof. 

The basic formalism of quantum theory is briefly re- 
viewed in the Appendix. We will generally identify sys- 
tems by their observable algebras. This has the advan- 
tage that combinations of classical and quantum infor- 
mation are naturally covered: a quantum system with 
Hilbert space Ti. is then represented by the algebra BiTL) 
of operators on Tt, and a system characterized by a clas- 
sical parameter x, and has Hilbert space TL X in that case 
is described by the direct sum (§) X B(H X ). A state on 
such an algebra is of the form Q) x p x p x , and is speci- 
fied first by a probability distribution p x for the x's, and 
second by a collection of density operators p x on Tl x , 
which are used to compute expectations if the value of 
the classical parameter is known to be x. Since this for- 
malism for handling classical information in protocols is 
not generally familiar, we describe it in some more detail 
in Appendix A and B. 



Many algebras (indexed by the nodes of the communi- 
cation tree) will appear in the description of the protocol, 
indicating that with each operation the type of quantum 
system in the respective lab might change completely. By 
choosing the lab algebras large enough this dependence 
might be avoided. However, even when the lab systems 
remain the same, it is helpful to keep the distinguishing 
indices for keeping track of the progress of the protocol. 

1. The communication tree 

At every stage of the protocol a certain amount of 
shared classical information will have accumulated. Clas- 
sical information never gets lost, so the stages of the pro- 
tocol, together with the currently available classical in- 
formation naturally form the nodes of a tree, which we 
call the communication tree. An example is depicted in 
Fig. O Every node x carries the following information: 

1. Whose turn is it: Alice's or Bob's? This follows 
from the position of the node in the tree, when we 
assume without loss of generality, that Bob always 
starts, and from then turns alternate. 

2. What are the classical signals, which might be sent 
from this person to the other? The admissible sig- 
nals form a finite set M x by assumption. This set 
labels the branches continuing from this node to 
successor nodes which we denote by x' — xm, for 
m £ M x . 

3. For each possible classical signal, what kind of 
quantum system is accompanying it? If the clas- 
sical message is m, we take its observable algebra 
to be Mf n , and assume this to be the full algebra 
of d x d-matrices for some d = d(x,m) < oo. The 
value d(x, m) = I (~ no accompanying quantum 
system) is a possible choice. 

4. Each node x is completely characterized by the 
entire history of the classical messages exchanged 
between Alice and Bob, i.e., we can write x — 
TO1TO2 • • • niN- 

At every node, we denote the observable algebras of Al- 
ice's and Bob's laboratories by A x and B x , respectively. 
These are only partly determined by the communication 
interface, and depend on the strategy, which we some- 
times emphasize by writing A x (a) and B x (b). The de- 
scription of the communication step below shows in de- 
tail how these algebras develop as one moves along the 
communication tree. Let X c denote the set of nodes at 
which a commitment is supposed to be reached. Since 
only local operations and the opening phase follow, we 
can consider these as the leaves of the communication 
tree. The joint observable algebra at that stage is 

A x {a)®B x {b) (1) 
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Of course, the channel could be one that simply forces 
one of the results. Hence m could equally well be the 
result of Alice's free choice of strategy, or of a measure- 
ment on a system she recently obtained from Bob. If m 
is found, Alice also splits the output system into a part 
A xm {a) which Alice keeps, and the part M.^ she sends 
to Bob. This splitting is included in the specification of 
T x {a). That M.^ changes ownership is expressed in the 
above equation by including it in Bob's algebra at the 
next round (i.e., B xm ) as a tensor factor. At Bob's nodes 
everything is the same, but since we always order tensor 
factors as Alice ® Message £g> Bob, the analogues of the 
above equations at Bob's nodes are 



A 



T x (b) : M x m ®B xm {b)^B x {b) (4) 
sm (a) = A x (a)®M x m . (5) 



b 

o 

FIG. 2: Example of a communication tree. Each node cor- 
responds to one history of classical communications, with the 
different lines from each node representing a possible classical 
signal. The dashed lines represent the holding phase, in which 
no communication occurs, followed by the opening move ( open 
circle) by Alice, and a measurement by Bob. 

(see the Appendix for the interpretation of direct sums) . 
The algebras of Alice and Bob could themselves be direct 
sums, representing classical information only available to 
Alice and Bob, respectively, but we do not look at this 
for the moment. 



2. The elementary communication step 

Now consider some node x, and assume that it is Al- 
ice's turn (everything holds mutatis mutandis for Bob). 
We know that some message m £ M x is expected from 
Alice, accompanied by a quantum system with observ- 
able algebra M^. The most general way of doing this is 
a quantum operation sending states on A x to states on 
© m A xm ®Mm- Written in the Heisenberg picture Alice 
hence chooses a channel (completely positive normalized 
map, cf. Appendix) 

T x {a) : A xm (a) ® M x m ^ A x (a) (2) 

B xm (b) = M x m ®B x {b). (3) 

Here we have added a parameter a to T x , to make it 
clear that choosing these channels for all x is precisely 
what defines Alice's strategy. Note that the choice of 
the channel includes that of their domain and range al- 
gebras. The channel T x (a), together with the input state 
determines the probabilities for the classical outcomes m. 



3. From commencement to commitment 

We assume that Alice and Bob initially share the quan- 
tum or classical state po- Ao <8> Bo — > C. The joint state 

) : A x {a)®B x {b)^C (6) 

at commitment time is then p c (a,b,po) = po ° T(a,b), 
where 

T c {a, b) : A x (a) ® B x (b) -> Ao ® B Q (7) 

xGX a 

is the direct sum channel that arises from the concatena- 
tion of all the elementary step channels T x {a) and T x (b) 
up to commitment time. Of course, Eq. ([7|) holds cor- 
respondingly for the shared states at all other stages of 
the protocol. In particular, the final state pf(a,b,po) 
on which Bob carries out the verification measurement 
arises from the initial state po by means of a quantum 
operation 

T f (a, b) : A x {a) ® B x (b) -> Ao ® B Q (8) 
xeXf 

where Xf is the collection of all the leaves of the com- 
munication tree. We will assume that the initial state 
Po'-Ao ® Bq — > C is known to both Alice and Bob, 
and henceforth write p c (a,b) instead of p c (a,b, po), and 
Pf(a,b) instead of pf{a,b,po) to streamline the presen- 
tation. 



4- Can Bob distinguish Alice's strategies? 

In the concealing condition, as well as in the descrip- 
tion of cheating strategies, it is important to decide 
whether Bob can distinguish two strategies of Alice at 
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commitment time. Clearly, this depends only on the re- 
striction pf(a,i,b) of the state p c (a,i,b) to Bob's labora- 
tory, which has observable algebra 0^, B x . 

The security criterion given in Sec. Ill Al asks for the 
largest probability difference obtainable by Bob. It is 
convenient to express this in a trace norm difference: the 
largest difference of expectations in "yes-no" experiments 
with density matrices pi, P2 is sup F |tr(pi — p2)F\, where 
F ranges over all so-called effects F with < F < 1. 
That is, the largest probability difference is ^ \\pi — P2II1, 
where denotes the trace norm. This naturally leads 
us to the following definition of concealing protocols and 
cheating strategies: 

Definition 1 (Concealing) 

We say that a protocol with a strategy pair (ao,ai) for 
Alice is e-concealing iff for all strategies b of Bob 

\\pf(a ,b)-pf(a u b)\\ 1 <2e. (9) 



When this condition holds with e 
protocol is perfectly concealing. 



0, we say that the 



Note that one possible measuring strategy for Bob is to 
actually make the measurement at an earlier time, record 
the result, and send only dummy messages to Alice after- 
wards. So saying that two strategies are e-equivalent at 
some stage is the same as saying that they are equivalent 
up to that stage of the protocol. Hence the e-concealing 
condition implies the only apparently stronger statement 
that at no time during the commitment phase Bob is able 
to discriminate the honest commitments better than with 
probability e. 

Definition 2 (Cheating) 

A pair of strategies (aQ,a\) for Alice that coincide until 
after the commitment phase is called a S-cheating strategy 



pf(alb)-pf( ai ,b) 



< 25, 



(10) 



for Alice's honest strategies (ao,eti) 7 i — 0, 1 and all of 
Bob's strategies b. 

Dcf . [3 requires a cheating strategy to work against all of 
Bob's strategies — not only against some fixed strategy, 
as suggested by Kerckhoffs' Principle. We will show in 
Sec. IIII Gl that Alice can always find such a universally 
good cheating strategy. As explained in the Introduc- 
tion, this extends the no-go theorem to protocols relying 
on secret parameters or "anonymous states" . If Bob's 
strategy b is supposed to be fixed and publicly known in 
Eq. (fTT)|) , our no-go proof will reduce in essence to the one 
obtained previously by Lo-Chau-Mayers [H, EE E3) EH • 



C. Protocols Covered by our Definition 

In this section we describe some ideas from the liter- 
ature about possible protocols, in increasing complexity. 



Of course, none of them are ultimately successful. But 
this is in many cases not obvious from the outset, so these 
ideas serve well to illustrate the richness of two-party pro- 
tocols as formalized in our scheme. 



1. The 



As explained in the Introduction, the first observation 
concerning quantum bit commitment was made in the 
classic paper of Bennett and Brassard on quantum cryp- 
tography 12j. In this basic scenario the commitment 
phase has only one round, in which Alice prepares one 
of two orthogonal Bell states ipo,ipi € Ha ® H-B- These 
have the same restriction on Bob's system, so the proto- 
col is perfectly concealing. But they are also connected 
by a unitary on Alice's side (as all maximally entangled 
states are), and this unitary constitutes her sneak flip 
cheating strategy, which under these circumstances also 
works perfectly. 



2. Alice sends a state 

The natural generalization of this protocol is to replace 
the Bell states by arbitrary pure states generated by Alice 
[l5l [l8|. When these have the same restriction on Bob's 
side, they are purifications of the same state, and hence 
connected by a partial isometry on Alice's side, which 
serves as a sneak flip operation. A crucial step is now 
to go away from perfect concealment (e — in Eq. @), 
which seems to have been considered first in [18[. In 
this case one has to use a continuity result for purifica- 
tions, i.e., that nearby states have nearby purifications. 
In other words, one needs an estimate [2l| of Uhlmann's 
fidelity (which measures the distance between purifying 
vectors), and the trace norm. 



3. Classical communication 

Classical communication occurs naturally in crypto- 
graphic protocols, so it needs to be included in the anal- 
ysis. In contrast to some of our predecessors, who choose 
a purely quantum description from the outset, we treat 
classical information explicitly throughout. In particular, 
classical information in the Lo-Chau-Mayers approach 
is treated quantum-mechanically and sent over noiseless 
quantum channels, while our description explicitly allows 
information transfer over classical channels, and thus pro- 
vides a natural setting to include purely classical proto- 
cols in the analysis. 

Cheating becomes harder for Alice if the protocol re- 
quires some exchange of classical information, for she 
no longer has full control over the purification spaces of 
the two commitment states. Roughly speaking, unitaries 
which introduce superpositions of states, which belong to 
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different classical values already sent to Bob, are forbid- 
den. In the formalism introduced above this means that 
Alice has to find a cheating unitary for every classical 
communication history x. 

Mayers' heuristic paper (l8j has some provisions for 
this case, by sending classical values to a special quantum 
repository in the environment, and effectively coherenti- 
fying all classical information. In contrast, in this text 
the classical communication flow is treated explicitly, and 
in fact emerges naturally as a framework for the descrip- 
tion of the protocol. This approach should also prove 
helpful in the analysis of other cryptographic tasks. 

4- Bob supplies the paper 

The protocols so far were characterized by the prop- 
erty that Bob really had no strategic choices to make 
during the commitment phase. Hence the state at the 
end of the commitment phase, written in our scheme as 
p c (a,b), really does not depend on Bob's strategy b. So 
Alice only has to connect the purifications of two states 
which are explicitly known to her. Clearly, her task of 
finding a clever sneak flip becomes harder if there is a 
proper dependence on b. Lo-Chau-Mayers restrict their 
analysis to those protocols in which Bob follows a speci- 
fied 'honest' strategy &*, which is assumed to be publicly 
known in accordance with Kerckhoffs' principle. In these 
cases, Alice knows how to cheat, and the no-go result 
immediately applies. 

As explained in the Introduction, we do not require 
that Bob follows such a publicly known standard strat- 
egy. Alice then indeed has to find a sneak flip working 
for all of Bob's admissible strategies b. The easiest such 
protocol begins with Bob sending a system to Alice, in 
some state known only to him (in [38j | this is called an 
anonymous state). The honest strategies require Alice 
to encode the bit by using this system in some way and 
then returning a committing system to Bob. Effectively 
Alice now chooses not a state but a channel to encode her 
commitment. The purification idea and Uhlmann fidelity 
estimate no longer work for this, so these protocols are 
not covered by Lo-Chau-Mayers. Instead, the purifica- 
tion construction has to be generalized to the Stinespring 
representation of channels, and an appropriate continuity 
result has to be shown. This will be done in Section HTT1 



5. A decoherence monster in Bob's lab 

That the idea of states supplied by Bob may intro- 
duce interesting new aspects is demonstrated by a sce- 
nario which is not a bit commitment protocol in the sense 
of this section, because it makes additional assumptions 
about things happening in Bob's lab: Suppose that after 
Bob has sent some quantum state to Alice, a Decoherence 
Monster (such as the cleaning service) enters his lab, and 
all quantum information is destroyed. Only his classical 



records survive. That is, he still knows what preparation 
he made, but cannot use the entangled records he made 
during the preparation. Now suppose that Alice and Bob 
can rely on this happening. Then they can design a bit 
commitment protocol that works. So, paradoxically, the 
monster strengthens Bob's position, because it weakens 
the assumptions about his ability to break the conceal- 
ment. Hence one can make protocols which are binding 
in the strong sense described above, but concealing only 
if we assume that coherence in Bob's lab is indeed de- 
stroyed. We will analyze this possibility in Section IVBl 



6. Alice can choose more strategies 

An apparent generalization would allow Alice to choose 
her honest strategy ao at will from some set Ao of honest 
strategies, and a\ from Ai. The idea is that now some 
a G Ao might well be distinguishable from some a\ G Ai 
for Bob. Concealment under such circumstances means 
that Bob, on seeing data compatible with some ao dur- 
ing the commitment or holding phase can never be sure 
that they do not come from a certain a\. In other words, 
for every ao G Ao there must be an e-equivalent strat- 
egy a\ G Ai. But then, according to our result, Alice 
might develop a sneak flip attack on the basis of these 
two protocols alone. 



7. More communication in the holding phase 

In Section TH Ai we excluded any communication in the 
holding phase, and, apart from a single message from Al- 
ice to Bob, also in the opening phase. There is, however, 
no problem to allow such communication, and some pro- 
tocols, like Kent's protocol using relativistic signal speed 
constraints (28l . [29l | , require a lot of communication in the 
holding phase. 

Of course, protocols with no rounds at all in the hold- 
ing phase are directly covered by our definition. The 
only strategic difference between holding and commit- 
ment phase is that Alice's cheating strategies <Zq and 
a\ are only required to coincide during the commitment 
phase. She might start cheating with different tricks for 
and 1 during the holding phase. 

Clearly, declaring the holding phase a part of the com- 
mitment phase only weakens Alice's cheating possibility. 
However, she does not need these extra options anyway: 
a sneak flip attack at the end of the holding phase is 
always possible, as we show. 



8. Aborts and resets 

Often in cryptography one considers protocols which 
allow the parties to call an "abort" . We can distinguish 
two kinds of abort: when a constructive abort, or reset 
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occurs, the protocol is started anew, whereas at a full 
abort the whole protocol is terminated as unsuccessful. 

Both kinds of aborts are covered in our scheme, but 
they would be typical of different phases. Resets are 
quite natural in the commitment phase. For example, 
Bob might make a test measurement on some message 
he receives, and refuses to continue if there is a slight de- 
viation from what is expected from Alice playing honest. 
A reasonable requirement at this point is that the prob- 
ability for reaching a commitment after some number of 
rounds with an honest Alice is positive. Then allowing 
even more retrials one could bring the probability for 
reaching commitment close to one, and allow some arbi- 
trary choice in the remaining cases, i.e., if the allotted 
total number of rounds is exhausted without a commit- 
ment. In this way one would get a protocol satisfying our 
finiteness condition, while retaining the potential value of 
resets for a commitment protocol. Strictly speaking, re- 
sets can only occur during the commitment phase, since 
we have demanded a partitioning of each protocol run 
into three successive phases (without relapses into ear- 
lier phases). However, the holding phase can be essen- 
tially united with the commitment phase (see Sec. Ill C 7| . 
Hence we can effectively also cover constructive aborts 
during the holding phase. 

In the opening phase we can consider full, or destruc- 
tive aborts. This is a move right to an endpoint of 
the communication tree, labelled accordingly. Clearly 
this possibility weakens Bob's discrimination powers, and 
makes it much easier to cheat for Alice. In particular, 
each sneak flip attack becomes successful. Therefore, the 
abort possibility does not seem to present any interest- 
ing strategic options for quantum bit commitment. The 
proof in Sec. IIHI shows that this is indeed the case. 



9. Concatenated protocols 

Sometimes one considers settings in which a variety 
of different cryptographic protocols are run in parallel 
or in succession, usually with dependent inputs. Ob- 
taining bounds on the security of concatenated protocols 
in terms of the security parameters of their component 
parts is often far from straightforward, and a subject 
of ongoing research even in classical cryptography [51] . 
However, in this work we are chiefly concerned with im- 
possibility results, which easily transfer to concatenated 
protocols: Running a finite number of (possibly differ- 
ent) bit commitment protocols in parallel or succession, 
and assuming that those protocols all fall into the frame- 
work described in this chapter, the concatenated protocol 
is again a quantum bit commitment protocol, with suit- 
ably enlarged Hilbert and classical messenger spaces and 
possibly a larger number of rounds. Since the latter pro- 
tocol is covered by our impossibility result, concatenating 
finitely many insecure bit commitment protocols cannot 
help to establish secure bit commitment. 

The formulation of two party protocols that we de- 



scribe in Sec. Ill Bl is by no means limited to quantum 
bit commitment, and hence could also be used to model 
larger cryptographic environments, of which quantum bit 
commitment might be a subroutine. In Fig. [21 such a pro- 
tocol would appear as a subtree. Concealment and bind- 
ingness would have to be guaranteed for the entire tree, 
and hence by restriction for the subtree. Thus, no two- 
party cryptographic protocol covered by the framework 
described in Sec. Ill Bl can contain a secure bit commit- 
ment protocol. 

The composability analysis is of course much more in- 
volved for secure protocols. The security proof we pro- 
vide in Sec. IV Bl for the decoherence monster protocol in 
general only applies to the protocol as a stand-alone ob- 
ject. If this protocol is then used as a subroutine in a 
larger and complicated cryptographic context, the secu- 
rity analysis will usually have to be tailored to the specific 
protocol. Fortunately, at least the cb-norm estimates we 
use in the proof of Th. Q~2] are stabilized distance mea- 
sures, and hence well-behaved under concatenation (cf. 
App. C). 



III. PROOF 

In the exposition of the task of bit commitment and 
the admissible protocols we have tried not to restrict 
generality by simplifying assumptions, in order not to 
weaken the scope of the no-go theorem. This leads to 
a rather wild class of strategies to be considered: arbi- 
trarily many rounds of communication of varying length, 
infinite-dimensional local lab Hilbert spaces, and all that. 
Clearly, in the course of the proof we want to get rid of 
this generality. The main idea for simplifications is that 
obviously inferior methods of analysis for Bob, or infe- 
rior cheating methods for Alice need not be considered. 
We therefore begin with an explanation of what it means 
that one strategy is "obviously inferior" , or weaker than 
another (see Sec. IIII A"|) . 

The first application of this idea is the process of pu- 
rification, by which a general strategy is turned into an- 
other one, which avoids all measurements not demanded 
by the communication interface, and turns all decohering 
operations into coherent information transfer to ancillas. 
Stincspring's dilation theorem guarantees that this can 
always be done. We explain in Sec. IIII Bl how the purifi- 
cations result in locally coherent strategies, which will be 
crucial for Alice's cheat later on, and have been a part of 
all no-go results. 

Once a player has chosen a locally coherent strategy, 
it is possible to reduce the lab spaces considerably. For 
example, if a strategy requires the choice of a mixed 
state, this state may have an infinite-dimensional sup- 
port Hilbert space. Its purification, however, is a sin- 
gle vector, so up to a unitary transformation, which can 
be absorbed into subsequent operations, it suffices to 
take a one dimensional Hilbert space. We show that 
this works for operations as well: for every locally co- 
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herent strategy there is a stronger one (in the sense of 
Sec. IIII A"|) . using only finite-dimensional Hilbcrt spaces, 
with a universal dimension bound depending only on the 
dimension of quantum messages exchanged so far and 
the trusted ressources shared initially. In particular, an 
infinite-dimensional lab space will not give more power 
to Bob. This will be shown in Sec. IIII CI and leads to 
the consequence that effectively (up to any desired level 
of accuracy) we need only consider a finite number of 
strategies for Bob. 

The next step is in some sense a dual of purification: 
purification means that we can avoid measurements dur- 
ing a protocol, deferring all such operations to the final 
measurement. Similarly, we can move the acts of deci- 
sion making during the protocol to the very beginning, 
by introducing a strategy register (see Sec. IIII Dl) . which 
is described in the Hilbert space £ 2 (S), for some finite set 
S of strategies. The choice of a strategy is then expressed 
by preparing some initial state of the strategy register, 
and then letting controlled unitaries transcribe this infor- 
mation into suitable operations at all later rounds. Let 
us denote by b a Bob's strategy of installing the strat- 
egy register mechanism, and preparing the initial state 
a for that register. The state p c (a,b a ) at commitment 
time then depends linearly on cr, and after specifying the 
trusted initial state po and tracing out Alice's lab, we 
find a channel T B (a) depending on Alice's strategy a, 
such that 

T» : 8^S(< 2 (S)) (11) 

tr a T B (a)(B) = tr p B (a, b a ) B (12) 

for all B € ® X B X . This channel now summarizes every- 
thing that Bob can possibly learn about Alice's strategy 
by choosing his own strategy and making a measurement 
in his lab after the commitment. In a simple, purely Ker- 
ckhoffian scenario the analogous object is just the state 
at commitment time, since one does not allow Bob a 
choice of different legitimate strategies. However, in our 
more general framework we do need to consider the de- 
pendence on cr, and correspondingly cheats which work 
uniformly well for all cr. 

As an instructive special case, we next suppose that 
the protocol is perfectly concealing, which is expressed 
by T B (a ) = T B (ai). We show in Sec. MM that Alice 
then has a perfect cheat. Its existence is guaranteed by 
the uniqueness clause in the Stinespring dilation theo- 
rem. From this prototype of Alice's cheat one can see 
how an approximate cheat in response to approximate 
concealment T B (ao) « T B (ai) should work. 

In the next section we look more carefully into the kind 
of approximation T B (ao) i=s T B (ai) sufficient to draw the 
desired conclusion. It turns out that we need to con- 
sider a special attempt of concealment breaking for Bob, 
namely keeping an entangled record of the strategy regis- 
ter and making a joint measurement on the rest of his sys- 
tem and this "backup copy" after commitment. Clearly, 
this is a legitimate attempt in our framework, and hence 



must already be implicit in the strategies controlled by 
the strategy register. However, making this scheme ex- 
plicit provides the right kind of norm (cb-norm) on chan- 
nels so that a small | |r B (a ) — r B (ai)|| c b guarantees the 
existence of an approximately ideal cheat. The techni- 
cal result guaranteeing this is a new continuity theorem 
[4t| for the Stinespring dilation construction, which we 
review in Sec. IIII Gl 



A. Comparing the Strength of Strategies 

Consider two strategies a and a' of Alice. We will say 
that a' is stronger than a, if whatever Alice can achieve 
by strategy a she can also achieve by a! . More explicitly, 
we require that there exists a suitable revert operation 
R x : A x (a) — > A x (a') bringing Alice back to strategy a at 
whatever node x she so chooses (observe the direction of 
arrows due to the Heisenberg picture). That she actually 
comes back to a is guaranteed inductively, i.e., we require 
that 

R x T x (a)=T x (a') (R 

x in 

<g)id M ^) (13) 

at Alice's nodes and 
Rxm = Rx ® id M*> (14) 
at Bob's nodes. 

Tracing this all the way back to the root of the tree we 
get, for any of Bob's protocols b, and for any stage of the 
protocol, in particular for the commitment stage X c , 

tr p c (a, b) (0 F X ®G X ) = tr p c (a', b) (0 R X {F X )®G^ . 

X X 

(15) 

Taking F x = l x in Eq. (fT5|) (corresponding to the partial 
trace over Alice's lab space in the Schrodinger picture), 
we see that Bob's subsystems are completely unaffected, 
i.e., Bob will never be able to tell the difference between a 
and a' . The strategic significance of passing to a stronger 
strategy is different for Alice and for Bob. 

For Bob a stronger b' is just another strategy to be 
considered in the concealing condition and in the condi- 
tion for a successful cheat. Since Bob does not loose any 
discriminating power in playing coherent, Alice (and we) 
might as well assume that he is always using the strongest 
strategy available. This simplifies the analysis, as we will 
see in more detail below. 

For an honest Alice there is no option. Whatever the 
honest strategies ao and a\ specify, she has to follow. 
However, since Bob will never know the difference, it 
is easy to check from the definitions of concealing and 
binding in Sec. Ill B1 that whenever (ao,ai) is a bit com- 
mitment protocol with security parameters e and 5, then 
so is any pair of stronger strategies (a^a^), with the 
same parameters. Hence we could assume for the sake of 
an impossibility proof that Alice's honest strategies are 



12 



strengthened in some way. However, there is hardly an 
advantage in that assumption, and we will not do so. 

For a cheating Alice, using all the power of her in- 
finitely well equipped lab, and hence using the strongest 
available strategies is clearly the best choice. Indeed, 
this will be the only difference between the honest and 
the cheating strategies during the commitment phase: 
these consists of playing until commitment a particular 
strengthening of an honest strategy, namely the local pu- 
rification discussed in the next subsection. 



B. Local Purification 

Intuitively, maintaining coherence during quantum op- 
erations is more demanding than allowing thermal noise 
and other sources of decoherence to have their way. 
Therefore, doing only those measurements needed for sat- 
isfying the communication interface rules, but avoiding 
all other decoherence should lead to a stronger protocol 
in the sense of Sec. MI Al 

The simplified "locally coherent" strategies are more 
easily expressed in terms of operators acting on Hilbcrt 
spaces than by superoperators acting on algebras. There- 
fore we need a notation for the message Hilbert spaces as 
well, i.e., we set M. m — B(K, m ), where dim/C^ = d(x,m) 
is the dimension parameter from the description of the 
communication tree in Sec. Ill B II 

Definition 3 (Locally Coherent Strategy) 

We call a strategy a of Alice locally coherent iff for all 
communication nodes x we have A x {a) = B{TL x {a)) and, 
at all of Alice's nodes, the guantum channel T x (a) : 
® m A xm {a) O M x m -> A x {a) from Eq. is given by 
operators 

V x , m (a) : H x (a) -> H xm {a) ® K m (16) 

such that 

T ^( fl )(0 A ™ ® y ™) = £ V x , m (a)* (A m <g> Y m )V x . m (a) 

m m 

(17) 

for all Am G B(H xm (a)) and Y m e B(K, m ). 

The point here is that each summand in this T x (a) 
is pure, i.e., given by a single Kraus operator V Xt m(a). 
This is equivalent to the property that the m th term in 
this sum cannot be decomposed into a non-trivial sum 
of other completely positive maps, which would in turn 
correspond to the extraction of further classical informa- 
tion. Using a non-pure map in a strategy would therefore 
mean to exercise less than the maximal control allowed 
by quantum theory. Note that m is in general a random 
outcome, but Alice can make it deterministic by choosing 
her strategy a corresponding to V x . m (a) — S m , ma V x , with 
an isometry V x . 

There is a canonical way to convert any strategy into 
a locally coherent one, which is provided by the basic 



structure theorem for completely positive maps. We state 
it in a form appropriate for the finite-dimensional case 
which is needed here. We refer to Paulsen's text for 
further details and the proof. 

Proposition 1 (Stinespring Dilation) 

Let A be a finite dimensional C*-algebra, TL a Hilbert 
space, and T : A — > B{TL) a completely positive map. 
Then there is another Hilbert space K,, a * -representation 
7r : A — > B(JC), and a bounded operator V : TL — > K, such 
that, for all A e A, 

T(A) = V*tt(A)V. (18) 

If (^0) n o, Vq) and (fCi,iri,Vx) are two such representa- 
tions, there is a partial isometry U : ICq — > ICi such that 

UV = V u (19) 

U*Vi = V a and (20) 

Utt (A) = m{A)U (21) 

for all AeA. 

We will use this proposition several times, but ignore 
the uniqueness statement for the moment. Then we can 
iteratively generate a locally coherent protocol a from a, 
together with the required revert operations showing that 
a is indeed stronger than a. Suppose the space TL x {a) 
and the revert channel R x : A x (a) — > B(H x (d)) = A x (d) 
has already been defined along with these objects for all 
earlier nodes. We need to extend this definition to all 
successor nodes xm. If the node x belongs to Bob, there 
is nothing to do since Eq. (TTi|) explicitly defines R xm - At 
Alice's nodes, we apply the Stinespring Theorem to the 
composition 

R x T x {a): A xm (a)®M m -» B(H x (a)). (22) 

The dilation theorem then provides us with a representa- 
tion 7r x of meM A xm (a) £g> on some Hilbert space 
K x and an isometry V x :TL x {a) — > IC X . Now the projec- 
tions P m in meM A xm (a) <g> M m which correspond 
to the direct sum decomposition over m are mapped 
by tt x to projections on K, x , so we get a decomposition 
into orthogonal subspaces K x = © -k x (P m )]C x . Since 
the P m commute with all other elements of the alge- 
bra, the projections 7r x (P m ) commute with all tt x (A), 
and A i— * ■K x (P m )'K x ( y A) becomes a representation on 
ftx(Pm)fcx- This representation can be restricted to the 
message algebra M, m , and since the representation of a 
full matrix algebra is unique up to multiplicity (and up 
to unitary equivalence indicated by "=" in the equations 
below), we can split the subspace n x (P m )K x into a tensor 
product: 

n x (P m )>Cx - H xm {a)®1C m , (23) 
n x (l®X)TT x {P m ) Si 1®X, (24) 

1T X (A (g) 1) TT x (P m ) = (A) O 1. (25) 
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At the last line we have used that all ir x (A(g) 1) commute 
with all ir x (t eg) X) = (1 ® X), so must be of the form 
A' ® 1 for some A' — Tr xm (A). We have already indicated 
in the notation that the space Ti. xm (o,) arising in this 
construction will be chosen as Alice's lab Hilbcrt space for 
the coherent strategy a. The revert operation will simply 
be R xm = n xm : A xm (a) — > B(H xm {a)) and, finally, the 
isometries of the pure strategy will be 

V x<m (a) = n x (P m )V x (a): H x (a) -> n x (P m )fC x (26) 

= H xm {a) ® K x m . 

Then Eq. (|13[) holds by virtue of the Stinespring repre- 
sentation, and we have shown that a is indeed stronger 
than o. 

To summarize: for every strategy a there is a stronger 
locally coherent strategy a. Moreover, the corresponding 
revert operation can be chosen to be a representation for 
all x. Of course, the same construction holds for Bob's 
nodes. 

In the sequel we will assume from now on that Bob 
uses coherent strategies, since this does not constrain 
his power to resolve Alice's actions at any stage. As 
we will show in the proof of Th. 01 Alice's cheat consists 
in playing suitable purified strategies, too. By means of 
Eq. (|15p . purification on Alice's side will give Bob no clue 
whatsoever about her cheating attempt. 

C. Bounding Local Hilbert Space Dimensions 

It is a crucial point in the definition of concealment 
that no limitations are imposed on Bob's capabilities. In 
particular, he could choose to use arbitrarily large local 
lab Hilbert spaces. In principle, this makes scanning all 
of Bob's strategies for checking e-concealment an infinite 
task. However, the purification construction takes care 
of this aspect as well, and we will show that without loss 
of discrimination power Bob can fix the dimension of his 
lab spaces uniformly over all his strategies. 

The Stinespring construction respects finite dimension- 
ality. Usually one takes a "minimal" dilation, which 
means that the vectors Tr(A)V(f> with A E A and <p e H 
are dense in JC. Hence dim/C < dim A ■ dim7i. How- 
ever, since this bound still contains the algebra A, which 
is part of the strategy whose purification generates the 
locally coherent protocol, and which is not a priori 
bounded, this argument does not suffice to derive a uni- 
form dimension bound on local lab spaces. 

The desired bound can be constructed by looking di- 
rectly at the definition of locally coherent strategies. Here 
the growth of Bob's lab space is given by the two opera- 
tions 

V x , m {b) : H x (b)->JC x m ®H xm (b) (27) 

at Bob's nodes and 

H xm (b) = JC x m ®H x {b) (28) 

at Alice's nodes. 



Given the dimensions of Tt x (b) and /C^, the first line per 
se does not imply a bound on the dimension of 7i. xm (b)- 
However, the range of V x ^ m has known finite dimension, 
so most of these dimensions will never be used. More 
precisely, we can find a subspace T~i xm (b) C 1i. xm (b) such 
that 

v x , m (b) (n x (b)) cic x m ® n' xm (b). (29) 

Indeed, we can take Ti.' xm (b) as the span of all vectors <j) a j 
appearing in the expansion V x , m {b) 4>a = Ylj^j ® 4>a,ji 
where {tpj} C IC^ and {4> a } C H x (b) are orthonormal 
bases. Hence 

dim H' xm (6) < dim H x (6) dim K? m . (30) 

We can now apply this idea inductively, i.e., with a 
previously constructed H' x (b) C H x (b) on the left hand 
side of Eq. (f2"9"]) . Note that at Alice's nodes there is noth- 
ing to choose, and the dimension bound Eq. (|3T))) holds 
with equality anyhow. At the root we have dim7io(b) = 
dim7Yg(6) =: G N for all strategies, the dimension of 
Bob's initial state space. 

Hence we have a new strategy, using the same isome- 
tries V x>m (h) as 6, but with domains and ranges restricted 
to a subspace H x (b') = H' x (b) C H x (b) for all b. We 
show now that b' is stronger than b. The required re- 
vert operation is implemented by the subspace embed- 
ding j x :U x {b') -> H x (b), as R X (B) = j*Bj x and, due to 
Eq. (f2"9"| . the operators V Xj7n for the new strategies are 
connected by 

V xm {b)j x = {t®j xm )V xm {b'yM x {b')^K% l ®H xm {b), 

(31) 

where j xm is the embedding of H xm (b) into H. xm (b)- 
Eq. (fT3]) then follows by combining this with Eq. (fT7|) in 
a version adapted to Bob's pure strategies. An intuitive 
description of this revert operation in the Schrodinger 
picture is to ask Bob to consider his density operator on 
H x (b') as a density operator on the larger space H x (b), 
by setting it equal to zero on the orthogonal complement. 

It is perhaps paradoxical that in this case the strategy 
using less resources is stronger. But in fact, they are 
just equally strong. The revert operation in the opposite 
direction is S x : B{H x {b')) -> B(H x (b)), with 

S X (B) = j x Bj* + Px (B)(l - Jx f x ), (32) 

where p x is an arbitrary state on B(TL x (b')). The sec- 
ond term is added to satisfy the channel normalization 
5a, (1) = 1. Since j*j x = 1, we have R X S X = id. The 
revert operation in this case is thus the projection on the 
subspace H x (b') c TC x (b). 

Taking together the reduction operation, and, possibly 
an expansion as described (adding some extra dimensions 
on which all states vanish), we can convert any strategy b 
to another one, for which the dimension bound Eq. (|30|) 
holds with equality, at both Bob's and Alice's nodes. But 
then we can identify all the spaces H x (b') with a fixed 
space of appropriate dimension, say 7i x . 
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Applying the same construction to Alice's operations, 
we find a strategy- independent Hilbert space Ti£. In par- 
ticular, we will henceforth assume H x (a ) = H x (&i) = 
H£ a t au nodes x for Alice's locally coherent strategies 
hi. This will simplify the discussion of Alice's cheating 
strategy in Sees. IIII El and UlI Gl below. 

We summarize this section in the following Proposi- 
tion, which we formulate for Bob's strategies. It holds 
equally for Alice's strategies, too. 

Proposition 2 (Dimension Bound) 

Let Ti B denote a family of Hilbert spaces with dimensions 
satisfying 

dimWf m = dimftf dim/C* (33) 
and d\mH B = d B £ N (34) 

for all nodes x. Then for every locally coherent strategy b 
of Bob there is an equally strong locally coherent strategy 
V with Hx{V) = H B for all x. 

The entire strategy dependence is now contained in the 
choice of the operators V x , m (V). 

Corollary 3 In the definitions of e-concealing and 6- 
cheating strategy, we may restrict the quantifier over all 
of Bob's strategies to locally coherent strategies with a 
strategy-independent lab Hilbert space TL B . 
For every £ > there is a finite set S of such strategies 
approximating all of Bob's discriminating procedures to 
within £. That is, for any strategy b of Bob we can find 
b' £ S such that for all of Alice's strategies a: 

||pc(o > 6)-p (o,6')lli<f ( 35 ) 

The proof of Corollary [3] is obvious from the dimension 
bound, and the observation that the set of bounded op- 
erators between Hilbert spaces of fixed finite dimension 
is compact in the norm topology. 

D. Bob's Strategy Register 

The next simplification we would like to introduce will 
significantly reduce the complexity of the many-round 
scenario. The basic idea is to replace all of Bob's choices 
by a single choice he makes at the beginning by prepar- 
ing a suitable initial state. His later choices will then be 
taken over by a sequence of "quantum controlled opera- 
tions" . This reorganization of Bob's choices requires the 
expansion of the lab space by an additional register, to 
hold the control information. It is perhaps worthwhile to 
emphasize that this strategy register serves merely as a 
technical tool in the no-go proof. 

We will choose a finite approximation S to Bob's strat- 
egy space in the sense of Corollary [3j with a very small 
value of £, which will be taken to zero at the end. The 
strategy register will be described by the Hilbert space 
£ 2 {S), the complex valued functions on S, with the usual 



scalar product. In other words, we have one basis vector 
| b) for each strategy b £ S. Then we set 

H B = H B ®l 2 (S) (36) 
V x<m : H B -> H B m ® (37) 

%, m = 5^ >m (6)® |6)(6| (38) 
bes 

Observe that V x , m is now independent of Bob's strat- 
egy (it depends on S). However, Bob still has a choice 
to make, namely the choice of the initial state for the 
strategy register. If he wants to play strategy b, he will 
set it to \b)(b\ and then let the pre-programmed controls 
take over. 

The construction also opens up the rather interesting 
possibility for Bob to play strategies in superposition, 
simply by initially preparing a superposition of the basis 
states | b). For this case it is helpful to bear in mind that 
the "control" by "controlled unitary operations" is not a 
one way affair. As soon as Bob prepares superpositions, 
the strategy register is in general affected by the interac- 
tion, so by "measuring the strategy" after a while, Bob 
could pick up some clues about Alice's actions. This is 
required by basic laws of quantum mechanics, because 
the controlled-unitary operation creates entanglement. 

Let us consider the overall effect of the protocol up 
to commitment, with the trusted shared initial state po 
considered fixed, Bob choosing an arbitrary initial state 
a £ B*(£ 2 (S)) (possibly mixed) for the strategy regis- 
ter, and Alice playing strategy a. At commitment, the 
observable algebra is now @ xeX Ar(a) <8 B(H B ). The 
state obtained on this algebra depends linearly on the 
initial state a, and being implemented by a series of com- 
pletely positive transformations, this dependence is given 
by a quantum channel T(a). In the Heisenberg picture 
we thus have 

r(o) : A x (a) <g> B{H B ) -> B(£ 2 (S)). (39) 

The restriction of the final state to Bob's side is what de- 
cides his chances of distinguishing different strategies of 
Alice. These restrictions are given by the reduced chan- 
nel T B {a) : 0^ B(H B ) - B(£ 2 (S)), given by 

r »(0 R z) =T(o)(0 l A Aa)®B x ). (40) 

The concealment condition requires that T B (a Q ) w 
T B (ai). The aim of the impossibility proof is to conclude 
from this the existence of a good cheating strategy for 
Alice. For this conclusion it turns out to be crucial how 
the approximate equality of these channels is expressed 
quantitatively. We defer this discussion to Sec. IIII Fl and 
treat first the case T B (ao) = T B (ai), which requires only 
the Stinespring dilation theorem, and shows more clearly 
what properties we need to establish in the approximate 
case. 
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E. The Case of Perfect Concealment 

In the sequel Bob is always understood to take advan- 
tage of his strategy register and pre-programmed con- 
trols, as described in Sec. IIIIDl So we will henceforth 
drop the tilde on Bob's Hilbert spaces H. x to streamline 
the presentation. 

For the case of perfect concealment, suppose that 
r B (ao) = r B (ai), and that Alice is preparing to cheat. 
She will then play the local purification di (i — 0, 1) 
of one of the honest strategies until commitment time. 
Note that both Alice's and Bob's strategies are assumed 
to be locally coherent in the sense of Sec. IIII Bl with 
Hilbert space dimensions independent of their respec- 
tive strategies as explained in Sec. IIII CI The concate- 
nated channel r(d 4 ): ® X B(H^) ® B{H B ) -> B(£ 2 (S)) 
is then likewise pure, and is hence given by operators 
V iiX :£ 2 (S)->H£®HZ as 

r(a l )(0(^®Bx)) = V* x {A x ®B x )V itX 

x£X c x£X c 

= v *( (B(A x ®B x j)Vi. 

x£X c 

(41) 

For the last step we have combined all the Vi >x into a 
single operator V* : £ 2 (S) K := ® X H£ <g> H B , and 
the direct sum refers to the direct sum decomposition of 
the underlying Hilbert space JC. Note that this Hilbert 
space carries a representation tt of Bob's observable al- 
gebra X B(H X ) at commitment time, simply by setting 
^(©z B x) = (& x lx ® B x . Hence (£, it, V l ) is a dilation 
of the channel T B (a,i) in the sense of Prop.[T] 

But now, by assumption r B (d ) = r B (a ) = T B (ai) = 
r B (ai). Hence we get two dilations of the same channel, 
which must be connected by a unitary operator U G B(JC) 
as in Prop. [TJ Essentially, this U will be Alice's cheat 
operation. What we have to show is that she can execute 
this operation on the system under her control, given the 
classical information x. 

The condition Uir(Y) — n(Y)U, applied to a projec- 
tion Y = P x of one of the summands implies that U can 
be broken into blocks, Un(P x ) = n(P x )U G B(7i^7i B ). 
The intertwining relation for n(B x ) allows us to conclude 
that this operator is of the form U x (g) 1 B , with a unitary 
operator U x G B(H X ). Clearly, U x is an operator between 
possible lab spaces of Alice, depending only on publicly 
available information x G X c . This will be Alice's cheat 
channel. Setting 

C x : B{H x {a x )) B(H x (a )) C X {A) = U*AU X , (42) 

we immediately conclude from UVq — V\ that 

r(ao)(0C x ®id B ) =r(di). (43) 

X 

Let us summarize Alice's perfect cheat. She will play 
the purification do of the honest strategy until com- 
mitment time. If at that time she decides to go for the 



bit value 0, she will just apply the revert operation from 
the purification construction. After that nobody can tell 
the difference between her actions and the honest do, not 
even with full access to both labs. On the other hand, 
if she wants to choose bit value 1, she will apply the 
cheat channel C x . We see from Eq. (|43|) that afterwards 
nobody will be able to tell the difference between her ac- 
tions and di. Finally, she will apply the revert operation 
from di to a±, hiding all her tracks. Note that the re- 
vert operation by construction works at any step: indeed 
Alice can cheat at any time, since the protocol must be 
concealing for all steps in order to be concealing at the 
commitment stage. 



F. Bob's Entangled Strategy Record 

In the previous section we have seen how Stinespring's 
theorem allows Alice to find a perfect cheat in a per- 
fectly concealing bit commitment protocol. The conti- 
nuity theorem presented in Section IIII Gl below shows 
that the same cheating strategy still works for Alice 
with high probability under more realistic conditions 
- when only approximate concealment is guaranteed, 
r B (ao) « T B (ai). The result crucially depends on the 
way in which the distance between these two channels is 
evaluated: Bob can test the condition r B (ao) ~ T B (ai) 
by preparing a state a for the strategy register £ 2 (S), 
and making a measurement on the system 7i B he re- 
ceives back from Alice. This includes both the possibility 
to superpose his original strategies |b), and the possibil- 
ity to mix such strategies in the sense of game theory. 
However, this still does not exhaust his options: he can 
keep an entangled record of his strategy. This would be 
pointless for just classical mixtures of his basic strategies 
| b). In that case all his density operators would commute 
with the "strategy observable" , and he could extract the 
initial strategy by a von Neumann measurement from 
the state at any later step. However, if he also uses su- 
perpositions of strategies, the controlled unitaries may 
properly "change" the strategy. It therefore makes sense 
to keep a record, i.e., to not only use a mixed initial state, 
which would correspond to a mixed strategy in the sense 
of von Neumann's game theory, but to use an entangled 
pure state on £ 2 (S) ® £ 2 (S'), with some reference system 
S' . It turns out that one can always choose S' = S (cf. 
Prop. 8.11 in Paulsen's text 56]). While the first copy in 
this tensor product is used as before to drive the condi- 
tional strategy operators V x , the second is the record and 
is completely left out of the dynamics. In other words, 
Bob not only uses a von Neumann mixed strategy, but 
the purification of this mixture. Concealment will then 
have to be guaranteed against his joint measurements on 
H X B ®£ 2 {S'). 

We will see in Sec. IV Bl that this procedure in gen- 
eral does increase Bob's resolution for the difference of 
channels. Of course, if the initial selection of strate- 
gies S is large enough, an approximation of this quan- 
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turn randomized strategy will already be contained in 
S, and the gain may be negligible. Mathematically, 
the introduction of randomized strategies corresponds 
to using a different norm: to guarantee concealment 
in the sense of Def. [IJ Alice will have to make sure 
that || (r B (ao) — r s (ai)) <g> id „ || < e if ^-dimensional 
bystander systems are taken into account, for all v G N. 
As explained in the Appendix, this just means that these 
two channels need to be indistinguishable in cb-norm, 
||r B (a ) - r- B (a 1 ) II < e for some small e > 0. 



G. The Full Impossibility Proof 

The full impossibility proof goes beyond the case of 
perfect concealment discussed in Sec. MI El It shows 
that Alice can still cheat if the bit commitment protocol 
is only approximately concealing, and provides explicit 
dimension-independent bounds on Alice's probability to 
pass Bob's tests undetected: 

Theorem 4 (No-Go Theorem) 

Any e-concealing bit commitment protocol in the sense of 
Sec. \IIB\ allows Alice to find a 2 y/e-cheating strategy. 

These bounds coincide with those obtained by Spekkens 
and Rudolph [231 ] in the Kerckofnan framework. Our 
proof shows that they still hold if Bob no longer sticks to 
a publicly known strategy. This is a significant improve- 
ment over Cheung's dimension-dependent estimates [50| . 
which do not suffice to rule out bit commitment protocols 
with large systems. 

The full no-go proof is based on a continuity result for 
Stinespring's dilation theorem, which we cite here from 
[46| . It states that two quantum channels T B , Ff are 
close in cb-norm iff there exist corresponding Stinespring 
isometries Vq, V± which are close in operator norm. This 
generalizes the uniqueness clause in Stinespring's theo- 
rem to cases in which two quantum channels differ by a 
finite amount, and hence is precisely the type of result 
we need to rule out approximately concealing bit com- 
mitment protocols. 

Proposition 5 (Continuity Theorem) 

Let Ti and Ti B be finite- dimensional Hilbert spaces, and 
suppose that 



r B V B. 

1 o ' 1 i ■ 



B(H B ) -» B{H) 



(44) 



are quantum channels with Stinespring isometries 
Voj V%: Ti — » Ti A ® Ti B and a common dilation space Ti A 
such that dim'TY' 4 > 2 dim7Y dim7Y B . We then have: 



inf||(C/® 1 B )F -Fi|r < ||lo -rf 



<2urf||(tf<8l B )V r o-Vi|l 



(45) 



We refer to [46| for a proof of Prop. [5] and further ap- 
plications of the continuity theorem. In this form the 
result applies to quantum channels whose common do- 
main is a full matrix algebra, while in our case the do- 
main algebra of the commitment channels T B = T B (ai) 
is the direct sum ® x B{Ti B ). Again we have dropped 
the tilde from Bob's Hilbert spaces in an attempt to 
streamline the presentation. In order to apply the con- 
tinuity theorem to our setting, we extend the chan- 
nels P = T{hi):® x B{n A ) <8> B(H B ) B{H) to chan- 
nels f ,fi:B(W A ® Ti B ) -> B(JC), where we have in- 
troduced the shortcuts Ti := i 2 (S), U A := ® x Ti A and 
U B := ® x Ti x . Note that the tensor product U A <g> U B 
has the direct sum decomposition ® xy Ti A ®Ti B , and that 
® x B(Ti A <g> H B ) is the subalgebra in B{U A H B ) which 
consists of those operators that are supported on the di- 
agonal subspace ® X TL A ® H x . For direct sum channels 
Ti(® x A x B x ) = Y, x V* X (A X B x )V i x as in Eq. gTj, 

the extensions Ti = Vj*(-)Vj have Stinespring isometries 
V Q , Vi : H -» U A ® U B = (B xy H A ® U B given by 



Viip := (J) S xy V itX ip 



(46) 



■'•y 



In the sequel we assume that the dilation spaces are cho- 
sen sufficiently large such that the dimension bound in 
Prop. [5] is met. The restrictions of T i to Bob's out- 
put system Ti B will be denoted by T B . We then have 
T B = rf o P, where the cp-map 

P: B(H B ) -> (S x B{TL X ) P(B) = ® x P X BP X (47) 

is composed of the projections P x in Ti B onto Ti x . Since 



rf 



cb 



|(rf -rf)oP|i < 



1 1 1 



cb ' 

we may now apply the left half of the continuity esti- 
mate Eq. (|45]) to the extended quantum channels T B to 
conclude that 



inf 

u 



{U®l B )Vb-Vi 



2 








< 


1 1 1 


< 


fo-fi 






cb 





cb 

(49) 

The minimization at this point is with respect to all uni- 
tary U G B(H A ), which can be given the block decom- 
position 



(50) 



where the minimization is over all unitary U G B{TL A ). 



with operators U xy : H A — ► H x . It turns out that the 
minimization in Eq. (|49|) can always be restricted to uni- 
tary operators whose off-diagonal blocks vanish. To see 
this, note that the left hand side of Eq. (|4"9")l can be rewrit- 
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ten as 



inf 

u 



{U®1b)V -Vi 
= inf suptr g(V *{U* ® 1 B ) - V*) {{U ® 1 B )V - V\ 



inf sup (2 - 2 Re tr g V? (U <g> 1 B ) Vo 



(51) 



where the supremum is taken over all states g S B*(Tl). 
From the definition of the isometries V% in Eq. (|46|) above 
it is straightforward to verify that 



^([7 ® 1 B )V = V *A U ** ® 1 -) y o.- 



(52) 



in Eq. (|51j) . Therefore, the minimization procedure on 
the left hand side of Eq. (14T))) is not affected by the off- 
diagonal blocks {U xy ,x 7^ y}, which implies that the in- 
fimum is attained at a unitary operator that is a direct 
sum of unitaries, U = ® X U X S ® X B(H X ). On the other 
hand, the cb-norm difference ||r^ — Tf is easily seen 
to be upper bounded by 2 ||(£/<g> ls)Vo — Vi\\ for any 
unitary operator U = <5) X U X . 

In summary, we have shown that the continuity the- 
orem extends to direct sum channels with a unitary U 
that respects the direct-sum decomposition: 

Proposition 6 (Continuity Theorem for Direct 
Sum Channels) 

Let Ti be a finite- dimensional Hilbert space, and 
let {H x } x ex and {Ti x } x ^x be collections of finite- 
dimensional Hilbert spaces. Suppose that Vq,Vi: Tt — > 



> Tt x are Stinespring isometries for the quantum 



channels Ti, T 2 : ® X B(H% O H% ) -> B{H) such that 

X X 

= ^*(0(A:® B x))^ 



(53) 



and dimTi x > 2 dimH x dim7i for all x G X. Let 
Tf:(B x B{T-L^) — » B(Ti) be the local restrictions given by 
Tf(® x B x ) := V?(@ x l£ ® BxJV;. We then have: 



w£\\{U®l B )Vo-Vi\\ J < ||r£ 



1 1 llcb 



< 2 inf II (CTSlflJVb-ViH, 

(54) 

where the minimization is over all unitary operators U = 
(B X U X &® X B{H^). 

The proof of the no-go theorem now immediately follows 
from Prop. [6] 

Proof of Th. [4| Alice will play the purification 
do of the honest strategy oq until commitment time. 



If at that time she decides to go for the bit value 0, 
she will just apply the revert operation R from the 
purification construction, as described in Sec IIII Bl It 
is then no longer possible to tell the difference between 
her actions and the honest ao, not even with full access 
to both labs. On the other hand, if she wants to 
choose bit value 1, she will apply the cheat channel 
C x :B(H x { ai )) -> B(H x (a )) given by C X {A) ■= U*AU X , 
where U := ® X U X € ® X B(H X ) is the unitary operator 
that attains the infimum in Eq. (f54"|) above. In the 
purification construction detailed in Sec. IIIIBI wc have 
for simplicity assumed minimal dilation spaces. Yet 
in order to apply the sneak flip operation, Alice may 
possibly need to double her local lab space ® X B(H X ) to 
satisfy the dimension bound in Prop. [SJ However, this 
can always be postponed right until before the cheat, 
only requires an additional (sufficiently large) ancilla 
system, and hence does not constrain Alice's options. 

Given an e-concealing bit commitment protocol 
with local channels T B (ai) in the sense of Def. [TJ 
we conclude from our discussion in Sec. IIII Fl that 
||r s (a ) — r B (ai)|| cb < s. Hence, the continuity esti- 
mate implies that 



r(a o )(0c :c ®idf) -r(di) 



cb 



< 2 || (U® 1 B ) V(ao) - V(a{)\ 



(55) 



<2J\\TB(a )-TB( ai )\\ ch < 2VS 



where V (ao) , V are Stinespring isometries for r(do) 
and r(ai), respectively. Since the cb-norm difference 
cannot increase under quantum channels, the same 
bound holds after Alice's revert operation R, 



r(fio)(0 C x ® id f) R-T{ax) 



< 2v^. (56) 



cb 



Alice can then confidently announce the bit value 1 in 
the opening. The probability of her cheat being detected 
is upper bounded by 2 \fe. This concludes the proof of 
the strengthened no-go theorem. ■ 



IV. QBC IN INFINITE DIMENSIONS 

In this Section we will relax the general finiteness con- 
dition imposed in Secs.HTland inil and show how to extend 
the no-go proof to quantum bit commitment protocols 
in which the dimension of the underlying Hilbert spaces 
fSec. HV A| . the number of rounds (Sec. HVBj) . or the set 
of classical signals (Sec. IIV C[) are infinite. 



A. Continuous Variable Systems 

We have so far restricted the discussion of the no- 
go theorem to systems that can be described in finite- 
dimensional (albeit arbitrarily large) Hilbert spaces. In 
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this section we show that the results can be easily ex- 
tended to continuous variable systems — as long as the 
systems obey a global energy constraint of a reasonably 
generic form. The total available energy for the protocol 
needs to be finite but can otherwise be as high as de- 
sired, and yet secure quantum bit commitment remains 
impossible. Purists might dismiss this additional energy 
constraint on the basis that it restricts the domain for the 
impossibility proof. Yet most physicists know that infi- 
nite energy is seldom available. In fact, the continuity 
theorem for Stinespring's dilation may be generalized to 
completely positive maps between arbitrary C* -algebras 
(52| . and hence the no-go theorem applies to continuous 
variable systems with unbounded energy, too. But these 
results are somewhat beyond the scope of the present pa- 
per, so we assume a uniform energy constraint to simplify 
the presentation. 

To set the stage, assume that TL is a separable (but no 
longer necessarily finite-dimensional) Hilbert space. As 
before, let £>* (TL) denote the Banach space of trace-class 
operators on TL, and S(TL) C B*(TL) the closed convex set 
of states. We further assume that H: T> — > TL is an un- 
bounded self-adjoint (energy) operator defined on a dense 
set T> C TL. (From the Hellinger-Toeplitz theorem (cf. 
Sec. III.4 in [53]) we know that a symmetric unbounded 
operator cannot be defined on all of TL, so we always as- 
sume a dense subset T>.) For the proof we assume that 
H has discrete spectrum, that all of its eigenvalues h n 
have finite multiplicity, and that linin^oo h n = oo. Un- 
der these conditions, the set of states 



S E {TL) := {g£ S(TL) \ trgH<E} 



(57) 



can be shown to be compact for every E > [54(. As 
we assume this energy constraint to be global, we impose 
that it is respected by the quantum operation T* that de- 
scribes the full bit commitment protocol: T*(g) £ Se(TL) 
for all g S S E (TL). 

Since the continuity theorem applies in this setting 
(46| . the proof presented in Sec. [TTT] goes trough un- 
changed. There is also a simpler proof, which avoids 
the compactness arguments and is based on a useful ap- 
proximation result: any infinite-dimensional system with 
energy constraints as in Eq. (|57p can be approximated to 
arbitrary degree of accuracy by a sufficiently large finite- 
dimensional system. This allows to reduce any bit com- 
mitment protocol to its finite-dimensional counterpart: 



Proposition 7 Given an e-concealing and S-binding 
quantum bit commitment protocol with a global energy 
constraint as in Eq. j57[ ). Then for any 7 > there 
is a corresponding protocol on finite- dimensional Hilbert 
spaces with dimension d = d(-y) which is (e + 7)- 
concealing and (6 + ^-binding. 

Since the latter protocol is unfeasible for sufficiently small 
parameters e, 5 and 7, so is the former. 

The finite-dimensional approximation needed for the 
proof of Prop. [7] relies on the following two lemmas: 



Lemma 8 Let 7 > and Se{TL) as in Eq. |57| ). Then 
there exists a finite- dimensional projector P 7 such that 



tr£>P 7 >l-7 V geS E (TL). 



(58) 



As a consequence, every system with energy constraints 
is essentially supported on a finite-dimensional Hilbert 
space. 



Lemma 9 Let 7 > and P 7 



Lemma [21 The 



for every quantum channel T*:B*(TL) — > B*(TL) which 
respects the energy constraint Eq. J57[ ) we have: 



\T*(e) 



tr P 7 T,(P 7 eP 7 ) 



Py T*(Pyg?Py) Pj\\ 1 



<4V7- 



27 
1-7 



(59) 



for all g £ Se(TL). 



The proof of Prop. [7] is then straightforward: Given the 
continuous-variable bit commitment protocol with en- 
ergy bound E and security parameters e and 8, we con- 
struct its finite-dimensional companion by projecting on 
the subspace P 7 7i, with the finite-dimensional projector 
P 7 chosen as in Lemma [5J We know from the discus- 
sion in Sec. IHII that both the concealment and the bind- 
ingness condition can be expressed in terms of appropri- 
ately chosen quantum channels T» . By assumption, these 
will respect the energy constraint. The approximation in 
LemmalHlthen guarantees that for sufficiently small 7 the 
companion protocol has nearly identical security param- 
eters. Substituting 4 ^7 + t— > 7, this concludes the 
proof. 

It remains to prove the approximation lemmas. The 
proof of Lemma [5] appears in 54[ . We include it here for 
completeness: 

Proof of Lemma [8j Let the eigenvalues of H be 
arranged in increasing order: hi < /12 < /13 < • • •, with 
eigenprojector P„ corresponding to the eigenvalue h n . 
For JV £ N, wc set P N := S«=i p n- We then have for 
all^eW: 



n=N+l 

00 
n=N+l 

< Mm), 



(60) 



implying that h N+1 (l - P N ) < H for all N e N. We 
may then conclude that 

trp(l-Pv) < -^—trgH < — — (61) 
tiN+i n-N+i 

for all g € Se(TL). Since the sequence {/ijv}jv diverges, 
the result follows by choosing P 7 :— P/v for some 
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sufficiently large No. ■ 

Proof of Lemma [9} An application of the trian- 
gle inequality shows that 

|| e -P 7 eP 7 ||l < WQ-PyQWl + WPyQ-PyQPyh 

< ||(i-p 7 )e|| 1 + || e (i-p 7 )||i.(62) 



For q £ SeCH) we know from Lemma [8] that tr (1 
P-y)@ < 7, and thus the two terms on the right of Eq 
may be bounded as follows: 



||(l-P 7 )e||i = ixU(l-By)Q 

< txi^gUU*^Q tr^(l-P 7 )V? 

< V7, (63) 

where we have used the Cauchy-Schwarz inequality for 
the Hilbert-Schmidt inner product, and U denotes the 
polar isometry of (1 — P 7 ) g. Analogously, we have 1 1 g( 1 — 
P 7 )||i < V7, which together with Eqs. (J62J) and J63|) 
implies that 



\g-PjgP-yh < 2V7- 



For all g £ Se {T~t), the renormalized state ^p-^P^gP, 
satisfies the estimate 



(64) 



1 7 

P y gP y - P 7 £»P 7 < — — P 7 £»P 7 , (65) 



1-7 



trP 7 g 



which in combination with Eq. (|64|) implies that 
ll.-^-P 7 ^l| 1 <2V7 +T 7 



7 



(66) 



Since the trace norm cannot increase under quantum op- 
erations [2lj . the upper bound also holds for the norm 
difference ||P*(f?) — tl .p T 1 * (P 7 gP 7 ) || i. As the quantum 
channel is supposed to respect the energy constraint 
Eq. ([57]) , an analogous chain of estimates for the output 
states of the channel and yet another application of the 
triangle inequality then yield the desired result. ■ 



B. An Infinite Number of Rounds 

In this Section we will show how the no-go proof can 
be extended to cover quantum bit commitment protocols 
with a possibly infinite number of rounds — as long as 
the expected number of total rounds remains finite. Just 
as with the energy constraints discussed in Sec. IIV A[ for 
any practical purpose this additional assumption does 
not restrict the domain of the impossibility proof. 

We begin by explaining how the framework introduced 
in Sec.|TT]can be modified to easily accommodate bit com- 
mitment protocols with an infinite number of rounds in 
each the commitment, holding, and opening phase. As 
in the previous Section, the impossibility proof will then 
follow from an approximation argument. 



As described in detail in Sec. Ill Bl each layer X t of 
the communication tree consists of a finite number of 
nodes. Each node x £ X t is connected with nodes 
xm £ X t +i of the following layer, corresponding to the 
classical message m <G M x . However, there is no longer 
a definite layer for which a commitment or opening has 
been reached. Instead, there are now infinitely many lay- 
ers Xt, t £ N. If Alice and Bob choose a definite pair of 
strategies, they check by means of suitable measurements 
how many rounds t have been performed, and whether 
they are willing to continue. The number of rounds then 
naturally plays the role of a classical random variable. 
Introducing the bundle of algebras 



(67) 



x£X t 



the total system is now described by the algebra C (T) of 
all bounded sections 



Fit h-> F(t) £ T_t 



(68) 



where the norm in C(£) is the standard supremum norm 
given by ||P|| = su PteN ||F(*)||. 

Alice's observable algebra, which we denote by C(A), 
is the subalgebra in C(JF) which consists of all bounded 
sections A that assign to every number of rounds t an 
operator A(t) belonging to Alice's subsystem: 



A : A(t) £A t := A x 



(69) 



x£X t 



The observable algebra C(B) of Bob's system is defined 
completely analogously. In our setup for protocols, each 
strategy a that Alice chooses is related to a channel 



r(o) : C(T) - B(t 2 {S)) , 



(70) 



containing all her possible responses to strategies that 
Bob can play by a suitable preparation of his strategy 
register £ 2 (S). 

The channels T(a) include naturally the necessary tests 
to decide for each round whether to remain in the com- 
mitment phase or to proceed with the holding or opening 
phase. The measurement of the number of rounds cor- 
responds to the embedding of the abelian C*-algebra of 
bounded functions on N - denoted by C(N) -, which is 
obviously a subalgebra of C(£). Let St be the function 
in C(N) which takes the value 6t(t) = 1 and 5t(s) = if 
s 7^ t, and let a be some state on B(£ 2 (S)) determining 
Bob's strategy. Then, by definition, the quantity 



P{a,a\t) :=tv(aT(a)(S t )) 



(71) 



is the probability that the commitment phase has been 
reached at round t, provided Alice plays a and Bob plays 
a. 

As advertised above, we now impose the reasonable 
assumption that whenever Alice plays honestly the ex- 
pected number of rounds until commitment is uniformly 
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bounded in the choice of Bob's initial state a: denoting 
by ao and a\ Alice's honest strategies to commit either 
or 1, respectively, there is a finite constant T G K such 
that 

sup^] P{a l: a\t) t < T (72) 

° tGN 

holds for i = 0, 1. The basic idea for the proof of the no- 
go result is now to relate this bound to the energy bound 
of the previous subsection, and hence approximate a pro- 
tocol with possibly infinitely many rounds by a protocol 
with "a priori" finitely many moves. As "Hamiltonian" , 
the number-of-rounds-operator 

# = 5> (73) 

ten 

is perfectly suited. In line with Eq. ([57]) , it is then enough 
to ensure that the states r(aj)*(cr) lie inside Se(L2(H)) 
for an appropriately chosen constant E, where LoiTi) is 
the Hilbert space of square integrable sections 

4> : t » m eH t := ® . (74) 

xex t 

Indeed, we conclude from Eq. (f72"|) that for each initial 
state a the inequality 

tr(r(a,),(tr)f0 = E M^K)^)) < T (75) 

tGN 

is fulfilled for i = 0, 1. Hence, T(cn) t (a) € S T (L 2 {H)), 
and we immediately obtain the following corollary as con- 
sequence of Prop. [71 

Corollary 10 Suppose an e-concealing and S-binding 
protocol with infinitely many rounds such that the ex- 
pected number of rounds until commitment is uniformly 
bounded for Alice playing honest as in Eq. J7£| ). Then for 
any 7 > there is a corresponding protocol on a priori 
finite number of rounds N("f) which is (e + j)- concealing 
and (S + "f)-binding. 

Thus, even protocols with an infinite number of rounds 
do not admit unconditional secure bit commitment. 



C. A Continuous Communication Tree 

So far we have assumed that our protocol is based on 
a communication tree with a discrete set of nodes and a 
finite number of options or messages. In this subsection 
we are going to relax this condition by allowing that the 
nodes as well as the options are taken from an continuous 
set. The set of time steps, however, is kept discrete. For 
simplicity, we restrict the discussion to protocols with a 
fixed number of rounds c until commitment. How does 
the structure of a continuous communication tree look 




FIG. 3: Part of a path in a continuous communication tree. 
The layer Xt belongs to Alice 's move. She sends the message 
(4>t+i{x) , 4>t<f>t+i(x)) to Bob. The next layer is Bob's turn, 
and consists in sending the message (x,(j>t+i{x)) to Alice. 

like? Each layer X t that is associated with the num- 
ber of the time step t is now taken to be a continuous 
compact manifold. The continuous version of connect- 
ing each "node" of the layer X t to some nodes of the 
following slice X t +i is given by a continuous surjective 
map (fit'-Xt+i — > X t . The pre-image 4>7 1 (x) G X t +i of 
a point x G Xt corresponds to the nodes in Xt+i that 
are connected to x. A pair (x, <f>t(x)), x € X t +\, is re- 
garded as a classical message that was sent from the node 
4>t{x) G X t and was received at the node x G X t +i- 
Fig. [3] shows a part of such a continuous communication 
tree. As with discrete communication trees, we asso- 
ciate to each message (x, <^*(x)) of the continuous tree 
a message system that is given by a full matrix alge- 
bra M{x,<f>t[x)) — B{K( Xt< j,j x W). Furthermore, to each 
point x G X t we associate a finite dimensional full ma- 
trix algebra for Alice A(x) = B(TC X ), and likewise for 
Bob B(x) = B(H X ). These algebras are defined recur- 
sively: if t + 1 is Alice's turn, then her algebra A(x) can 
be chosen arbitrarily. Bob's algebra is defined in terms of 
his previous choices of algebras and the message systems, 
as follows: 

B{x):= M{x^ t {x))®B{(j)t(x)) (76) 

for each x G X t +i- Since X t is continuous, we need to re- 
place direct sums by bounded sections within a bundle of 
observable algebras. Introducing the bundle of algebras 

£ t :X t 3x^E t {x) := A(x) ® B(x) , (77) 

the total system at time step t is described in terms of the 
C*-algebra C(£_ t ) of bounded continuous sections in £_ t . 
Alice's subsystem C(A t ) is determined by the constraint 
that for each A G C(A t ) the value A{x) is contained in 
the algebra A(x). In other words, A is a section in the 
sub-bundle A t : x 1— > „4(x). Bob's system C(B t ) is defined 
in the same manner. 
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For every strategy a played by Alice we hence obtain 
a corresponding channel T(a) : C{£_ L ) — > B(£ 2 (S)) mod- 
eling all the local operations and the entire exchange of 
messages up until commitment time t — c. As described 
in Sec. IIII D[ Bob's strategies are programmed by the 
choice of the initial state a on B(£ 2 (S)). Just as before, 
these channels can be decomposed into a sequence of op- 
erations, each corresponding to a move made by Alice or 
Bob: 



r (a) = T (0il ) o T (0i 2) 



oT, 



(o,c) 



(78) 



We may assume that Alice and Bob play locally coherent 
strategies. Then all the channels 



' («,t) 



C{£ t+1 ) - C(S t ) 



(79) 



in the decomposition Eq. (|78|) are pure. Depending on 
whose turn it is, the channels T( Qjt ) need to respect Al- 
ice's and Bob's subsystems: if t + 1 is Alice's move, then 
T( a ,t) maps Alice's subsystem C(./4 t+1 ) into Alice's sub- 
system of the previous step C(A t ), whereas Bob's system 
C(X t +i 1 B) remains unaffected. Consequently, 



T (att) {A)(x) £ A(x) 
T [aA {B o 4> t )(x) = B(x) 



and 



(80) 
(81) 



for all x £ X t and for all B £ C(B t ). Note that for each 
section B £ C(B t ) corresponding to Bob's system the 
section 



B o <f> t : y ^ B(Mv)) € B(Mv)) C B(y) 



(82) 



also belongs to Bob's system C(B t+1 ) at the preceding 
step. 

In complete analogy to the concealing condition for the 
discrete tree, for a protocol with a continuous communi- 
cation tree to be e-concealing we require that 



|r B (« )-r B (a 1 )|L b <e, 



(83) 



where T B (a) is the restriction of T(a) to Bob's subsystem 
C(Hc)- The range and domain algebras of the channels 
T B (a,i) are no longer finite dimensional matrix algebras, 
nor do they admit a straightforward approximation in 
terms of finite dimensional systems. Nevertheless, the 
concealing condition Eq. (|83| implies that Alice may find 
a 2 -Je— cheating strategy, as before. The result follows 
from a generalization of the continuity theorem for Stinc- 
spring's representation theorem to general C* — algebras 



V. PROTOCOLS RELYING ON 
DECOHERENCE 

In this Section we will demonstrate how trusted deco- 
herence in Alice's lab (Sec. |VA"|) Bo b's lab (Sec. IVB]) . 
or in the transmission line (Sec. IV C[) may be employed 
to design secure and fair bit commitment protocols. 



A. The Trusted Coherence Shredder 

A trusted third party makes perfect bit commitment 
a trivial task: Alice may submit the bit to an incorrupt- 
ible notary public, who will store the bit in his vault 
throughout the holding phase, and later pass it on to 
Bob on Alice's notice. In this scenario, the notary public 
will have to be paid for the long-term safe storage of the 
bit. Clearly, Alice and Bob would get away with much 
lower fees, if the notary's presence were only required 
once, and only as a witness, without even having to store 
a file about the event. Such a possibility is offered by 
quantum mechanics. 

The basic idea is that the notary is present in Alice's 
lab until the end of the commitment phase, and sees to 
it that Alice plays honest. If the honest protocols were 
locally coherent, even that would be no help, since we 
have seen that Alice could carry out her cheating trans- 
form later, in the holding phase. However, if the honest 
protocols (do, di) involve some measurement or other de- 
coherence, the notary overseeing these actions can make 
a difference. He could prevent a later cheat by taking 
some part of the system with him and destroying it. In 
our example below it is even sufficient for him to just 
watch Alice make a measurement and, if he so chooses, 
to forget about the result straight away. The protocol 
is perfectly concealing, and is as binding as desired, if a 
dimension parameter d is chosen large enough. 

The setting requires a d-dimensional Hilbert space, 
and two mutually unbiased orthonormal bases {|ej)}j, 
{\fk)}k, which means that (ej\e k ) = (fj\fk) = &jk, and 
l( e il/fc)| 2 = 1/^) f° r sJl j,k — 1, . . . , d. While the max- 
imum number of mutually unbiased bases in a Hilbert 
space of given dimension d is the subject of ongoing 
research, here we only need two such bases, which are 
always easily constructed: starting from any given or- 
thonormal basis {|ej)}j, we may choose {\fk)}k as the 
Fourier-transformed basis, 



(84) 



The protocol begins by Alice sending Bob a half of the 
maximally entangled state 



where \fj) denotes the complex conjugate of \fj) with 
respect to the basis \ej). Then, if she wants to commit the 
bit value "0" , she makes a von Neumann measurement 
in the basis | e j ) , and records the result. Similarly, to 
commit a "1" , she makes a measurement in the basis 
\fj). Thus, if she plays honest, as vouched for by the 
notary public, she will have no quantum system left in 
her lab, only the classical information about the bit value, 
and her measurement result. This is the information she 
sends to Bob at the opening. To verify, he will make 
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a measurement in the basis |ey), if Alice claims to have 
submitted "0", and in the basis \fj) otherwise, finding 
the same result as Alice with probability 1. 

The protocol is perfectly concealing, since in either 
case Bob gets a system in the chaotic state pb = hi- 
lt is also binding, because whatever false bit value and 
measurement result Alice claims, Bob will confirm this 
only with probability 1/d, i.e., practically never, if d is 
large. 

This is essentially the bit commitment protocol orig- 
inally proposed by Bennett and Brassard in 1984 [12j |. 
Alice's EPR attack does not work in our scenario, since 
the notary public will not permit her to delay the mea- 
surements until after the commitment phase. There is 
also a variant of this protocol, in which the measurement 
is not actually carried out. In that case Alice prepares 
one of the mixed states 

Po = ~ E I e i ® e i t e 3® e il ( 86 ) 

3 

Pi = ^J2\f^Mf 3 ®M (87) 

3 

for committing "0" or "1" , respectively. Now the notary 
watching her will see to it that she actually prepares these 
mixed states, and not their purifications. For verification 
Bob uses the support projections Po,i = d ■ po.i- 

Once again, the protocol is perfectly concealing. Let 
us analyze Alice's cheating options, after she prepared 
po, with the trusted notary watching and then leaving. 
If she wants to change her commitment to "1" , she can 
only employ some local channel T (g> id and hope to pass 
Bob's test with the projection Pi. The probability for 
this is 

tr po (T ® id) (Pi) 

1 d — — 

= 2 E^' e iK r ® id )(l-' ! *'^/*./*l)|ei,e J -) 

= \ E NA>r ^j\T(\fk)(fk\)\ej) 

k,j=l 

= iE<«iir(i)|ej) 

" 5- (88) 

The same computation applies to tvp\(T ® id)(Po), so 
Alice's success probability is independently of her 
cheating channel, and may hence be chosen to be arbi- 
trarily small. 



B. A Decoherence Monster in Bob's Lab 

In the proof of Th. [4] we have shown that Alice has 
a cheating strategy for any concealing protocol. Hence 
it is not surprising that by weakening Alice's position, 
namely when decoherence eliminates her favorite cheat- 
ing option, bit commitment protocols like those described 
in the previous section become possible. But it may seem 
rather paradoxical that decoherence acting on Bob's side, 
presumably further hampering the weaker partner, can 
also lead to successful protocols. 

Suppose that every morning, the cleaning service 
comes to Bob's lab, unplugs all vacuum pumps, and re- 
stores what they take for tidiness. Only classical records 
survive this procedure. When Alice is convinced that 
she can rely on this, she might reassess her demands on 
concealment, and the two might agree on a bit commit- 
ment protocol, which under such circumstances is indeed 
both concealing and binding. This example shows very 
clearly that the entangled record introduced in the proof 
is essential. 

The protocol we suggest relies on the distinction be- 
tween the local erasure of information and the destruc- 
tion of quantum correlations, as seen in a pair of channels 
demonstrating the separation between ordinary operator 
norm and cb-norm in an extreme way [551 ]: 

Lemma 11 Let e, 6 > 0. Then for sufficiently large d 
there is a pair of channels R, S : B(JC d ) — > B(C d ) such 
that ||P -S\\<e and \\R - S\\ ch >2-S. 

Since standard operator norm and cb-norm coincide 
for channels with classical (Abelian) output space 
(cf. Th. 3.9 in Paulsen's text j56||), Lemma [TT] demon- 
strates a purely quantum-mechanical effect. 

Proof of Lemma lilt According to Ref. (5f|, a 
quantum channel R:B(C d ) — » B(C d ) is e -randomizing iff 

\\R*(Q) - S*(q)\\i < £ V geB4C d ), (89) 
where S denotes the completely depolarizing channel, 

S{e) = ~tre <^ SJg) = ^-l (90) 
d d 

for all e € B(C d ) and g e B*(C d ), respectively. Eq. 
implies the norm estimate \\R — S\\ < e, as required in 
Lemma 1111 

Hay den et al. show that for d > such an e- 
randomizing quantum channel can be obtained with high 
probability from a random selection of at most p := 
[^dlogdl unitary operators {U^ =1 C B(C d ), 




In striking contrast, exact randomization of quantum 
states (such that e = in Eq. (|89")1 ) is known to require 
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an ancilla system of dimension d 2 ^> /i 57]. However, 
this significant reduction in the size of the ancilla space 
comes at a price: while the randomizing map R erases 
local information, it preserves almost all the correlations 
with a bystander system if d is sufficiently large. In fact, 
it is straightforward to show the upper bound 



2/x 

d?' 



(92) 



where |0) := ^ti 
entangled state on C i 



i, i) again denotes the maximally 
5 <C d . Eq. (92]) implies the bound 



\\R — 5|| cb > 2 — S, where 5 := -S can be made as small 
as desired by choosing d sufficiently large. I 



We can now set up a bit commitment protocol in 
which Bob initially supplies a pure state \ip) on a d- 
dimensional Hilbert space TLb according to the unitarily 
invariant Haar measure. There is only one round for 
Alice, requiring her to send back a system with the same 
Hilbert space. Her honest strategies are specified by a 
pair of channels T k : B(H k A <g> H B ) B{H B ) (k = 0, 1). 
We take them to be locally coherent, i.e., implemented 
by a single isometry 14 : Hb — ► %a ® 7~Lb each. Their 
restrictions to Bob's side will be channels as provided 
by Lemma [TTJ T®{X) = V *(l X)V = R(X) and, 
similarly, Tf = S. 

To reveal her commitment, Alice will later supply Bob 
with the ancilla system 7v%, alongside with the bit value 
k. Bob will then verify Alice's claim with a projective 
measurement on Vk\tp), as illustrated in Fig. [H Clearly, 
this protocol is perfectly sound, since Bob's measurement 
will confirm the bit value k with unit probability if both 
parties have followed their honest strategies. The proto- 
col is ^-concealing, provided the Decoherence Monster 
strikes as planned, implementing some entanglement- 
breaking channel [581 ] on Bob's reference system. By def- 
inition, these are the channels D:B(Hb) — ► B(Hb) such 
that D ® id (g) is separable for any input state g. Hence, 
these channels are sometimes also called separable. In 
Fig. IU the decoherence inflicted by D is indicated by the 
rubbish bin. We will show below that the maximal prob- 
ability difference Bob can detect by preparing suitable 
states and making suitable measurements is then indeed 
just \\R-S\\/2. 

To see that the protocol is binding note first, that Al- 
ice's usual cheating strategy cannot work: If there were 
an operator U such that (U® t)Vo ~ V\ in norm, the two 
channels R and S could immediately be estimated to be 
cb-norm close, in contradiction to the second property 
guaranteed by Lemma [TTl 

However, it is clearly not enough to argue that there 
is no universal cheating strategy for Alice, which suc- 
ceeds regardless of Bob's input state. We need to rule 
out strategies which would allow Alice to fool Bob's test 
in many cases, or with high probability. In addition, we 
also have to show security for arbitrary cheating strate- 
gies and, in particular, we have to make certain that the 
reduction of Bob's lab capabilities by the Decoherence 
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FIG. 4: A quantum bit commitment protocol with local de- 
coherence in Bob's lab. The rubbish bin symbolizes an 
entanglement-breaking channel acting on Bob's reference sys- 
tem. The figure shows the flow of quantum (solid) and clas- 
sical (dashed) information if both Alice and Bob play honest. 
Alice controls all systems on the left-hand side of the figure, 
Bob those on the right-hand side. Time flows upwards. The 
protocol starts with Bob submitting some pure quantum state 
\tp) G C d to Alice, and ends with Bob's measurement M. 



Monster does not also give Alice a bit more freedom to 
cheat. That is, in order to prove security we have to 
explain why the coherent record makes a difference for 
Bob's ability to distinguish the honest strategies, but not 
for his ability to distinguish honest from cheating strate- 
gies in the opening phase. This is the essence of the 
following 

Theorem 12 Let e > 0, 5 > 0. Then for sufficiently 
large dimension d the bit commitment protocol described 
above is perfectly sound, e-concealing, and S-binding. 

In the proof of Th. [T^] we will need to employ some of 
the standard properties of distance measures for quantum 
states and operations, which we collect here for reference. 
We start with the well-known equivalence of the trace- 
norm distance and the fidelity: 



Lemma 13 Let F(g, a) :— tr w ' ^fgo^fg denote the fi- 
delity of two quantum states g, cr S 6*(7i). We then 
have: 



1 



1 



F(Q,a) < llle-aHx < v/l-F 2 ( e ,a) 



(93) 



A proof of Lemma [TBI can be found in Ch. 9.2 of 21] 
The fidelity F(g,a) 



tr y \[qo~\J~Q is symmetric in its 
inputs and unitarily invariant. It never decreases un- 
der quantum operations. If g — IvXvl is pure, we have 
F(ip, a) = W (ip\a\(p) . We will also need the following 
lemma, which appears as Lemma 2 in [23j|: 
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Lemma 14 For any two quantum states g, a S B*{7i) 
we have: 

sup {F 2 (g,Lu)+F 2 (a,iu)} =1 + F(g,a). (94) 

We now proceed from quantum states to quantum op- 
erations: The channel fidelity of a quantum channel 
T:B{C d ) -> B(C d ) is defined as 

F C (T) := F 2 (n,T® id (|OX n D) = ® id (|ftXfi|)|ft), 

(95) 

where = 4= X)j=i li) ® \j) i s maximally entangled 
on C d (g) C d , as before. The channel fidelity F C (T) is a 
measure for the quantum channel T to preserve entan- 
glement with a bystander system, and is closely related 
to the average fidelity of the channel T, 



F(T) := / MTOVWIM (96) 
where the integral is over the normalized Haar measure: 



Lemma 15 For any quantum channel T: B(C d ) — > 
B(C d ), we have: 

F{T) > F C (T) >F(T) - i (97) 

The proof of Lemma [15] is immediate from the relation 



F(T) = 



dF c (r) + 1 



(98) 



In the protocol described above we grant the Decoherence 
Monster the freedom to apply an arbitrary entanglement- 
breaking quantum channel on Bob's bystander system. 
Any such channel D:B(Hb) — > B(Hb) can be decom- 
posed [HI] as D = Di o D 2 , where 



D V C x -» B(W B ) 
£ 2 : B(W B )^Cx, 



and 



(99) 
(100) 



and Cx denotes the Abelian algebra of the complex- 
valued functions on the finite set X (with \X\ elements). 
In other words, any entanglement-breaking channel can 
be thought of as being built from a measurement channel 
D\, with resulting classical output system Cx, followed 
by a re-preparation D 2 - (Note that Eqs. (|99|) and pOOp 
describe the channels in the Heisenberg picture, so 
the direction of arrows is inverted, cf. Sec. I VII Al ) 

In order to confirm e-concealment of the monster pro- 
tocol, we will need to show that any such entanglement- 
breaking channel D renders Bob's bystander system use- 
less for the analysis of Alice's actions: 

Lemma 16 For any linear map L:B(Ti) — > B(JC) and 
any entanglement-breaking channel D:B(Hi) ^ B{K{), 



\L®D\\ = \\L\ 



(101) 



Since entanglement-breaking channels have a decompo- 
sition D\ o D 2 with an intermediate classical system Cx , 
it will turn out sufficient to verify this property for the 
noiseless classical channel id x ■ 

Lemma 17 For any linear map L:B(7i) — » B(JC) and 
any classical observable algebra Cx, 

\\L®id x \\ = \\L\\. (102) 

Proof of Lemma UTt For any a 6 B(H) we have, 

\\L(a)\\ =||L®id x (o(8lx)|| <\\L®id x \\ \\a\\, 

(103) 

which shows that ||L|| < \\L ®idx||- 

For the converse implication, note that any classical- 
quantum state g on B(IC) ® Cx is of the form 



I A" | 



= Qx ® \x)(x\, 



(104) 



X=l 



\X\ 

where {paj-^Jx is a classical probability distribution, 
\Qx} x Ji is a set of quantum states on B(K), and {Ix)}^^ 
denotes an orthonormal basis for C' x ' (cf. Prop. 2.2.4 in 
[6l|). We may now estimate, 



1*1 



®iA x )q\\i < J^Px \\L*(Qx) ® \x)(x\\\i 

x=l 
\X\ 

= £ftc||i.(fe)Hl ( 105 ) 
x=l 

\X\ 

<J2px \\l\\ = \\l\\, 



and hence \\L ®idx\\ < \\L\\, as claimed. ■ 

Proof of Lemma 1161 Choosing a 6 B(H), we 
immediately have 



\L{a)\\ = \\L(a)®l Kl \\ 

= \\(L®D) (oglwJH 
< ||L®D|| \\a®l ni \\ 
= \\L®D\\ Mall , 



(106) 



implying ||£|| < \\L ® D\\. 

For the converse implication, let D = Di o D 2 be a 
decomposition as in Eqs. (f9"9"| and (| 1 00[) above. We may 
then estimate, 



\L®D\\ = ||L®(DioD 2 )|| 

= ||(idx:®I>i)(i®idx)(id«®D2)| 
< ||id K ®-Di|| ||£®idx|| ||id-H®-D 2 | 



(107) 



< \\Di\ 



cb 



|L®idx|| \\D 



2l!cb 



lil 



where in the last step we have used Lemma [T7] and the 
fact that ||T|| cb = 1 for any channel T (cf. Sec. lyTTCl) . 
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We now have all the tools at hand to complete 
the 

Proof of Th. 112b Soundness of the protocol is 
clear. Setting L := R — S in Lemma 1161 e-concealment 
follows immediately from Lemma [TT] 

Thus, it only remains to show that the protocol is 6- 
binding. As a warm-up exercise, let us first exclude the 
possibility of Alice committing to the bit value k in the 
commitment phase, and then announcing the bit 1 — k 
in the opening phase. This is sometimes called passive 
cheating. 

If Bob has initially supplied the pure state \ip) £ C d , 
the probability of successfully passing Bob's projective 
measurement in such a scenario is -P("0) := |(VbV'|Vi'0)| 2 > 
resulting in the overall cheating probability 



P 



P(if>) dip 



(108) 



For S and d as in Lemma [TT1 we then have the estimate 



2-8 



< 
< 



||t* ® id - 1* ® id 

||(F ® i)|nx^|(^o* ® i) 

-(^0 1)10X01(^*0 1)111 



< 2y/i- f 2 (v ® vi i i|n)) 



2^1-^(1^) 



03 _ 

< 2 X /l-F(V?V 1 ) + ^ 



™2,/l-P + I, 



(109) 



where in the second step we have used that the trace- 
norm cannot increase under the partial trace operation 
[HI]. From Eq. (TT09|) we conclude that 



P < 



1 



(110) 



Since the right side of Eq. (jllOp can be made as small 
as desired by stepping up the dimension, this gives the 
desired upper bound on Alice's probability of successfully 
passing Bob's test. 

So far we have only proven bindingness against passive 
cheating attacks. As illustrated in Fig. [5l Alice's most 
general attack consists of applying some quantum chan- 
nel T s : B(H t )®B(H B ) -> B{H B ) during the commitment 
phase, independently of the bit value k £ {0,1}. She 
will send a d-dimensional quantum system to Bob 
without having committed to either bit. Only before the 
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FIG. 5: Alice's cheating strategy consists of applying some 
quantum channel T* in the commitment phase, and then an- 
other quantum channel T\ to commit to the bit value k £ 
{0, 1} only before the opening. Her goal is to pass Bob's pro- 
jective measurement M . 



opening will she then decide on a bit value k, apply a 
corresponding quantum channel T|: B(TC\) — > B(H$) on 
her remaining system, and hope to pass Bob's projective 
measurement. 

Assuming that Alice is a not prejudiced towards cither 
bit, the probability of passing Bob's test is then P := 
|Po + |Pi, where for k e {0, 1} we set 

Pk ■= J {V k ^\{Tl®iA B )Tl(\^m)\V k vj) dip. (Ill) 

This probability can be bounded as follows: 

Pk = ( m k \Tt®id B )Tt{\vj)^\)V k \v^)dvb 



^ F{VZ[Tt®i* B )T$V k ) 

S3 » l 

< Fc (V k *(Tl®id B )T}V k ) + - 
# F*(V k ®t B ,\U),{Ti 

< F 2 (T^®id B ,(|0)(0|) 



(112) 



ids 



id b>) 



(T|(g)id B /)(|OXn|)) +- 



tr„/r»®id s ,(|ft)(0|))+~ 

where in the final step we have used the monotonicity 
of the fidelity under the partial trace operation. Com- 
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bining this estimate with Lemma [14] and Eq. (|92|) then 
immediately yields the bound 



P < 



1 



F(R( 



.id B /(|nxn|),5®id B '(|nxn|)) 

(113) 



The right-hand side can be brought as close to | as 
desired by stepping up the dimension. Resubstituting 
2 + -kVS ^ S, the protocol is (5-binding. This concludes 
the proof of Th. Q21 ■ 



C. Decoherence in the Transmission Line 

While noise in the transmission line is generally consid- 
ered a nuisance, and coding theorists have designed elab- 
orate error correcting codes to cope with it, Wyner [62j 
was the first to realize that noise may sometimes be bene- 
ficial for cryptographic applications — in his case for key 
distribution. Crepeau and Kilian [63| have later shown 
that classical noisy channels may also be employed to 
establish secure bit commitment. Their results have sub- 
sequently been improved in [64], [65[ . Recently Winter et 
al M have considered the azotic version of string 
commitment and have obtained a single-letter expression 
for the commitment capacity of a classical noisy channel. 
Their results show that any nontrivial noisy channel can 
be used to establish secure bit commitment. The theorem 
can be extended to so-called classical- quantum channels. 
But it remains an open question whether fully quantum 
channels can also be useful for bit commitment. 

Misaligned spatial reference frames can also effectively 
act as a noisy channel, and facilitate secure bit commit- 
ment. An example for a secure protocol was recently 
given by Harrow et al. (67| . 



VI. SUMMARY AND DISCUSSION 

In summary, we have presented a general frame- 
work for two-party cryptographic protocols and have 
shown that secure quantum bit commitment is impos- 
sible within that framework — by giving explicit bounds 
on the degree of concealment and bindingness that can 
be simultaneously achieved in any given protocol. Our 
proof covers protocols on finite or infinite dimensional 
Hilbcrt spaces with any number of rounds in each of the 
commitment, holding, and opening phases. In contrast to 
earlier proofs, we do not assume the receiver to be bound 
to a publicly known strategy. Thus, our strengthened no- 
go result also covers the anonymous state protocols that 
have been repeatedly suggested as a way to circumvent 
the standard no go arguments. If the receiver's strategy is 
fixed and common knowledge, our bounds coincide with 
those obtained by Spekkens and Rudolph [23| , and hence 
the standard no-go proof is recovered in that case. 



Our formulation of the no-go proof contains an explicit 
treatment of the classical information flow, possibly of in- 
dependent interest for other cryptographic applications. 
As a consequence, the framework directly applies to the 
purely classical setting, in which no quantum informa- 
tion is exchanged and all local Hilbert spaces are one- 
dimensional. Note however, that in order to cheat with a 
sneak flip operation as described in the proof of Th. 2] in 
general Alice will nevertheless need to apply a quantum 
operation. This is so because the commutant of Bob's 
classical system is usually a hybrid containing both clas- 
sical and quantum parts. Hence, a classical protocol em- 
bedded in a quantum world allows Alice to cheat, but the 
fully classical no-go proof is not directly recovered. 

We emphasize that in our setup, Alice and Bob may 
draw on an unlimited supply of certified classical or quan- 
tum correlations, in the form of an arbitrary shared ini- 
tial state poi and yet secure quantum bit commitment 
remains impossible. This is in striking contrast to quan- 
tum coin tossing: starting with a maximally entangled 
qubit state and measuring in a fixed basis, Alice and 
Bob can obviously implement a perfectly fair and secure 
coin tossing protocol 3 . 

In the second part of the paper, we have analyzed 
quantum bit commitment protocols relying on decoher- 
ence. We have presented a new such protocol in which 
provably secure bit commitment is guaranteed through 
an entanglement-breaking channel in the receiver's lab. 
The protocol relies on the separation between local era- 
sure of information and the destruction of correlations, 
which is a purely quantum mechanical effect. 

In accordance with most of the literature, throughout 
this work we have restricted the discussion to quantum 
bit commitment protocols in which concealment is guar- 
anteed for all branches of the communication tree. This 
is sometimes called strong bit commitment, in order to 
distinguish it from a weaker form in which Bob may pos- 
sibly learn the value of the bit — as long as Alice receives 
a message stating that the bit value has been disclosed. 
Weak bit commitment protocols have been analyzed by 
Hardy and Kent (30j . and independently by Aharonov 
et al. [31]. Such protocols are sufficient whenever bit 
commitment is only part of a larger cryptographic en- 
vironment, and the value of the bit itself does not re- 
veal any useful information. In particular, secure weak 
bit commitment protocols could be applied to implement 
quantum coin tossing. However, weak bit commitment is 
likewise impossible, with identical bounds on the con- 
cealment and bindingness. The no-go proof follows our 
analysis for strong bit commitment in this paper, but the 
concealment condition now only has to be guaranteed for 
a subtree, and hence for a subchannel. Alice then finds a 
sneak flip operation from a version of Stinespring's conti- 
nuity theorem for subnormalized quantum channels [52| . 



We would like to thank the referee for clarifying this point. 
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VII. APPENDIX: LANGUAGE AND 
NOTATIONS 

This appendix contains the necessary background on 
observables, states and quantum channels, as well as on 
direct sums and their role for the description of alge- 
braically encoded classical information. We restrict the 
discussion to the basics, and refer to the textbook of 
Bratteli and Robinson [(38| and Keyl's survey article [6l[ 
for a more complete presentation. 



A. Observables, States, and Quantum Channels 

The statistical properties of quantum systems are 
characterized by spaces of operators on a Hilbert space 
H: The observables of the system are given by bounded 
linear operators on H, written B(H). This is the proto- 
type of a C*-algebra and is usually called the observable 
algebra of the system. The physical states are then those 
positive linear functionals oj:B(H) — > C that satisfy 
the normalization condition cj(1) = 1. We restrict 
our discussion to finite-dimensional Hilbert spaces, for 
which all linear operators are bounded and every linear 
functional u> can be expressed in terms of a trace-class 
operator g u £ B*(H) such that uj(A) — trg u A for all 
A G B(H). The normalization of the functional u> than 
translates into the condition trg w = 1. The physical 
states can thus be identified with the set of normalized 
density operators g € i3* (H) . 

A quantum channel T which transforms input systems 
described by a Hilbert space Ha into output systems 
described by a (possibly different) Hilbert space Hb is 
represented (in the Heisenberg picture) by a completely 
positive and unital map T:B(Hb) — * B(Ha)- By unital- 
ity we mean that T(1b) = ^a, with the identity operator 
lx G B(Hx)- Complete positivity means that id„ <g> T 
is positive for all i/£N, where id„ denotes the identity 
operation on the (y x v) matrices. 

The physical interpretation of the quantum channel T 
is the following: when the system is initially in the state 
g € B*(TCa), the expectation value of the measurement of 
the observable B E B(Hb) at the output side of the chan- 
nel is given in terms of T by tr g T(B). Unitality provides 
the normalization, while complete positivity guarantees 
that all expectation values remain positive even if the 
channel is only part of a larger network. 

Alternatively, we can focus on the dynamics of the 
states and introduce the dual map 6* (Ha) —> B*(Hb) 
by means of the duality relation 

trT,(g)B = trgT(B) V g G B,{H A ), B G B{H B )- 

is a completely positive and trace-preserving map 
and represents the channel in the Schrddinger picture, 
while T provides the Heisenberg picture representation. 
For finite-dimensional systems, the Schrodinger and the 



Heisenberg picture provide a completely equivalent de- 
scription of physical processes. The interconversion is 
always immediate from Eq. (|114ll . 



B. Direct Sums and Quantum-Classical Hybrid 
Systems 

Our general description of bit commitment protocols 
includes a full treatment of the classical and quantum in- 
formation flow. As explained in Section Hi B| the nodes of 
the communication tree correspond to the classical infor- 
mation accumulated in the course of the protocol. Direct 
sums are a convenient way to encode this information in 
the observable algebras: For a finite collection of observ- 
able algebras {A x }xgx, the direct sum algebra 



x 



x 



0A :={®4 | A x G A x } (115) 

x—l x—1 

represents the physical situation in which the system un- 
der consideration is described by an observable algebra 
Ax if the classical information x G X has been accu- 
mulated. Sums and products as well as adjoints in this 
algebra are defined component- wise, i. e., 



®(A X + B X ) 

X 


(116) 


X 


(117) 


(« • Ax) 

X 


(118) 


(X\ A* 


(119) 



for all operators A X ,B X G A x , and coefficients a £ C. 
It is straightforward to verify that with these definitions 
® X A X is indeed an algebra with identity 1 = (B x lx i where 
for each x € X t x denotes the identity in A x ■ The norm 
on ® X A X is given by 



C A X \\ := max || A, 



(120) 



If A x = B(H X ) for a collection of Hilbert spaces 
{Wxlxti, then ® X B(H X ) C B( ® x H x ). The physical 
states on such a system are of the form (BxPxQx, where 
g x G B*(H X ) are states on the component algebras and 
{px\x=\ i s a classical probability distribution. 

As explained in Section [II Bl in our formulation of the 
bit commitment protocol the component algebras A x will 
usually be tensor products of observable algebras in Al- 
ice's and Bob's lab, respectively: A x = A x (a) (8 B x (b). 
The local algebras A x (a) and B x (b) could be full ma- 
trix algebras, or could themselves be direct sums, rep- 
resenting local classical information available to Alice 
or Bob exclusively. The strategic operations that are 
performed by Alice and Bob are described by channels 
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acting on these direct sum algebras. In the Heisenberg 
picture, these channels are completely positive unital 
maps T : A -> B(H) with A = ® X A X . Their inter- 
pretation is easily seen from Stinespring's representation 
(Prop. []}: There exists a Hilbert space /C, an isometry 
V: Ti — ► K. as well as a representation ti of ^4 such that 
T(A) = U*7r(A)U holds. For each a; G X, the identity 
operator of the direct summand A x is a projection P x 
in .4 that commutes with all operators in A. These pro- 
jections generate an abelian subalgebra C{A) called the 
center of A. Since 7r is a *-representation and therefore 
respects the product of operators, n(P x ) projects onto 
the subspace tt{P x )K =: K, x , which is invariant under 
the action of all represented operators it (A). Hence we 
obtain for every x a representation of A on IC X according 
to 

7T X (A) := n(P x )n(A)n(P x ) = tt(A)tt(P x ). (121) 

Since each direct summand A x = B{TL X ) is a full matrix 
algebra, the Hilbert spaces JC X can be chosen to be of the 
form JC X = 7i x ®M. x with appropriate multiplicity spaces 
M. x . The representation ix x is then given by tt x ((B x A x ) = 
A x <S> 1jw x ■ lu terms of the representations ir x , the action 
of the channel T on an operator A can be written as 

T(A) = y*^[A)V . (122) 
x ex 

How is this kind of representation interpreted in op- 
erational terms? We first have a look at measurement 
operations in the Heisenberg picture. Usually a measure- 
ment operation is described by a positive operator valued 
measure (POVM), i.e., a collection 

{M x e B{K) | < M x < 1, Y, x M x = 1} . (123) 

The set X is interpreted as the set of possible measure- 
ment outcomes. In the Heisenberg picture, this corre- 
sponds to a completely positive normalized map M from 
the abelian algebra © X C = C x into B{fC). Namely, 
the operator / G C x is mapped to M(f) = J2 x M x f x . 
Hence, measurement operations are a special class of 
channels on direct sum algebras, where each summand 
is chosen to be one-dimensional, A x = C. Thus, if we 
restrict the channel T to the center C(A), which is iso- 
morphic to C x , then we obtain a measurement operation 
whose corresponding POVM is given by the operators 
{V*tt(P x )V\x G X}. To verify this, we evaluate T on a 
central element C S C(A), 

\ x j x 

where central elements C are expressed as linear combi- 
nations of the projections P x , i.e., C = J2 X C x P x with 
C x G C. This justifies the following interpretation: The 
quantum system under investigation is described by the 
observable algebra A x if the measurement results in the 



outcome x 6 X. In other words, the direct sum op- 
eration can be seen as a "logical XOR" composition of 
quantum systems — in contrast to the tensor product, 
which corresponds to the "logical AND" . 

Coming back to the bit commitment protocol, the 
nodes of the communication tree then in fact have a natu- 
ral interpretation as outcomes of a measurement process 
returning a history of communicated decisions, which are 
given by the unique path in the tree starting at its root 
and ending at x G X. 

C. Distance Measures 

In order to evaluate the concealment and bindingness 
conditions in a quantum bit commitment protocol we 
need to measure the distance between two quantum chan- 
nels or two quantum states: Assume two channels T\ and 
T2 with common input and output algebras A and B, 
respectively. Since these Ti are (in Heisenberg picture) 
operators between normed spaces B and A, the natural 
choice to quantify their distance is the operator norm, 

NT TIL «i,n \\Ti(B)-T 2 (B)\\ 

\\Ti - T 2 \\ := sup — J, . (125) 

B^O \\o\\ 

The norm distance Eq. I|125p has a neat operational char- 
acterization: it is twice the largest difference between the 
overall probabilities in two statistical quantum experi- 
ments differing only in replacing one use of T\ with one 
use of T2 . 

However, we also want to allow for more general ex- 
periments, in which the two channels are only applied 
to a sub-system of a larger system. This requires stabi- 
lized distance measures [69(, and naturally leads to the 
so-called norm of complete boundedness (or cb-norm, for 
short) [56|: 

- T 2 || cb := sup Hid,® (Ti - T 2 )\\ , (126) 

where id „ again denotes the ideal (or noiseless) chan- 
nel on the (y x ^-matrices. Useful properties of the 
cb-norm include multiplicativity, i.e., ||Ti ® 2~2|| c b = 
||Ti|| cb ||T2|j cb , and unitality: ||T|| cb = 1 for any chan- 
nel T. 

Obviously, ||T|| cb > ||T|| for every linear map T. If 
either the input or output space is a classical system, 
we even have equality: ||T|| cb = ||T|| (cf. Ch. 3 in [H(|). 
Fully quantum systems generically show a separation 
between these two norms. 

States are channels with one-dimensional input space, 
C. Since this is a classical system, there is no need to dis- 
tinguish between stabilized and non-stabilized distance 
measures. The so-called trace norm \\g\\i = tr ^/g* g is 
frequently employed to evaluate the distance between two 
density operators. The trace norm difference \\g — <r||i 
is equivalent to the fidelity F(g, a) := tr w ' y/go^fg (cf. 
Lemma [TBI . 



29 



For any linear operator T the operator norm ||T|| 
equals the norm of the Schrodinger adjoint T + on the 
space of trace class operators, i.e., 

||T||= sup WT^U (127) 

llel|i<i 

(cf. Ch. VI of [E3 and Section 2.4 of [H] for de- 
tails), which is the usual way to convert norm estimates 
from the Hcisenberg picture into the Schrodinger pic- 
ture and vice versa. For states = g, the operator 
norm then indeed just coincides with the trace norm: 

imi = r*iii = yii. 
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